Checkout SlayerLabs.com!

Networks Engineered to Exploit.

- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

Linux PrivEsc Private-i

Linux Private-i is a custom enumeration tool to assist in privilege escalation by automating tasks. This post is a simple quick overview, checkout the github repo to clone.

https://github.com/rtcrowley/linux-private-i

Private-i automates a majority of the basic enumeration steps and spits them out in an easy to read format. Using other popular enumeration and privesc scripts can be too cumbersome and sometimes bogus. The goal of this app is to make it quick, easy and readable.

Private-i gives the user a few nifty options to choose from. Terminal output is in color to help readability - although different in this example due to markdown syntax highlighting.

Usage is simple…

bob@victim:/opt/linux-private-i# ./private-i.sh ---------------------------------------------------------------------- ----------------------Linux PrivEsc Private-i------------------------- ---------------------------------------------------------------------- 1) Full Scope - Non-Targeted approach with verbose results 2) Quick Canvas - Brief System Investigation 3) Sleuths Special - Search for unique perms, sensitive files, passwords, etc 4) Kernel Tip-off - Lists possible Kernel exploits 5) Exit Selection:

To clone use…

git clone https://github.com/rtcrowley/linux-private-i.git





Example output for Option : Quick Canvas..the color will be different in terminal of course…

---------------------------------------------------------------------- ----------------------Linux PrivEsc Private-i------------------------- ---------------------------------------------------------------------- 1) Full Scope - Non-Targeted approach with verbose results 2) Quick Canvas - Brief System Investigation 3) Sleuths Special - Search for unique perms, sensitive files, passwords, etc 4) Kernel Tip-off - Lists possible Kernel exploits 5) Exit Selection: 2 ---------------------------------------------------------------------- ____ _____ _..-' 'Y' '-. \ Dossier: | ~~ ~ ~ / Running Quick Canvas \ LINUX | ~ ~ ~~ // \ _..---. |.--.._ // ---------------------------------------------------------------------- --------------------------Basic OS info------------------------------ Kali GNU/Linux Rolling 4.16.0-kali2-amd64 root uid=0(root) gid=0(root) groups=0(root) --------------------------Networking--------------------------------- ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 5t80::a31:27ee:vg514:3jj8 prefixlen 64 scopeid 0x20<link> ether 02:40:21:74:6y:b8 txqueuelen 1000 (Ethernet) eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.28.128.7 netmask 255.255.255.0 broadcast 172.28.128.255 inet6 fe80::a00:27ff:fe85:4f9 prefixlen 64 scopeid 0x20<link> ether 03:03:17:88:24:f5 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) ---------------------------------------------------------------------- TCP and UDP.... Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 585/postgres tcp6 0 0 ::1:5432 :::* LISTEN 585/postgres tcp6 0 0 :::80 :::* LISTEN 790/apache2 tcp6 0 0 ::1:5432 ::1:50804 ESTABLISHED 1944/postgres: 10/m tcp6 0 0 ::1:5432 ::1:50802 ESTABLISHED 1925/postgres: 10/m tcp6 0 0 ::1:50800 ::1:5432 ESTABLISHED 1864/ruby tcp6 0 0 ::1:5432 ::1:50800 ESTABLISHED 1882/postgres: 10/m tcp6 0 0 ::1:50804 ::1:5432 ESTABLISHED 1864/ruby tcp6 0 0 ::1:50802 ::1:5432 ESTABLISHED 1864/ruby Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:postgresql 0.0.0.0:* LISTEN tcp6 0 0 localhost:postgresql [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN udp 0 0 0.0.0.0:bootpc 0.0.0.0:* -----------------File, Directory and App Quick Checks----------------- Vital checks [-] - /etc/shadow is neither world readable nor writable [-] - /etc/sudoers is neither world readable nor writable [-] - Mail in /var/mail/ is neither world readable nor writable [+] - Found something in /etc/ that's World-Writable -rwxrwxrwx 1 root root 0 Jun 14 18:32 /etc/test.conf Log Detection [-] - syslog is neither world readable nor writable [-] - auth.log is neither world readable nor writable [-] - messages is neither world readable nor writable Quick App Research [+] - Samba is installed [+] - Perl is installed [+] - Ruby is installed [+] - Python is installed [+] - Netcat is installed

That’s it - very straightforward.