Skip to content

Linux privesc check Wiki #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Linux privesc check Wiki #66

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ba5a759
Add ssh_socks and persist_key module documentation to wiki
overgrowncarrot1 Aug 20, 2025
bbd5062
Updated Wiki for Linux Priv Esc Check module
overgrowncarrot1 Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions ssh-protocol/linux_privesc_check.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Linux Privilege Escalation Check (NetExec Module)

The `linux_privesc_check` module helps identify common privilege escalation paths on Linux hosts.
It does **not exploit** vulnerabilities directly — it highlights possible escalation methods for further manual testing.

---

## Module Options

- **NO_SUDO**: Skip `sudo -l` checks
- **NO_GTF**: Skip GTFOBins lookups (no internet required)
- **SHOW_ALL_SUID**: Show *all* SUID binaries (not just GTFOBins-exploitable ones)
- **SHOW_ALL_CAPS**: Show *all* binaries with Linux capabilities

---

## Attack Examples

### 1. Run Full Enumeration (default)
```bash
nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check
```

### 1.1 Expected Ouput
```bash
[linux_privesc_check] Running Linux privilege escalation checks...
[Kernel] Linux victim 5.15.0-86-generic #96-Ubuntu SMP x86_64 GNU/Linux
[User Info] uid=1000(alice) gid=1000(alice) groups=1000(alice)
[Sudo] Checking sudo -l...
(ALL : ALL) NOPASSWD: /usr/bin/vim -> https://gtfobins.github.io/gtfobins/vim/#sudo
[SUID] Checking for exploitable SUID binaries...
Exploit SUID: /usr/bin/find -> https://gtfobins.github.io/gtfobins/find/#suid
[Capabilities] Checking for binaries with capabilities...
Capability: /usr/bin/python3.8 = cap_setuid+ep -> https://gtfobins.github.io/gtfobins/python/#capabilities
```

### 2. Skip Sudo (no sudo -l)
```bash
nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_SUDO=true
```

### 2.1 Expected Output
```bash
[linux_privesc_check] Skipping sudo -l enumeration (NO_SUDO)
[SUID] Checking for exploitable SUID binaries...
...
```

### 3. Skip GTFOBins Lookup
```bash
nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_GTF=true
```

### 3.1 Expected Output
```bash
[linux_privesc_check] Skipping GTFOBins lookups (NO_GTF)
[SUID] Checking for exploitable SUID binaries...
Exploit SUID: /usr/bin/passwd
[Capabilities] Checking for binaries with capabilities...
Capability: /usr/bin/tar = cap_dac_read_search+ep
```

### 4. Show all SUID Binaries
```bash
nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_SUID=true
```

### 4.1 Expected Output
```bash
[SUID] Checking for exploitable SUID binaries...
Exploit SUID: /usr/bin/passwd
Exploit SUID: /usr/bin/chsh
Exploit SUID: /usr/bin/su
...
```

### 5. Show all Capabilites
```bash
nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_CAPS=true
```

### 5.1 Expected Output
```bash
[Capabilities] Checking for binaries with capabilities...
Capability: /usr/bin/ping = cap_net_raw+ep
Capability: /usr/bin/python3.8 = cap_setuid+ep
...
```