This blog post will serve as a cheatsheet to help in my future pentesting experiments and wargames when I am stuck and don't know how to proceed. I hope it will be of use for some people out there. This document will likely change and evolve in future revisions.

In this blog post I will discuss common privilege escalation techniques. I assume that an attack got a foothold into the server by spawning a webshell over SQL-Injections or similar web exploitation vectors.

Helpful resources

Other people have published great information about privilege escalation process.

  • https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#credentials
  • https://github.com/PenturaLabs/Linux_Exploit_Suggester
  • http://www.rebootuser.com/?p=1623#.V64XaN_S30p
  • Script for common checks and detailed security report: LinEnum

Make use of discovered credentials

Often you can find login credentials to a custom admin web interface in the database. Because humans tend to reuse the same credentials on different services, it's always worth to check if the discovered login credentials work on other services such as SSH or Telnet. If you can access /etc/passwd, you can try all found credentials on all running services on all user accounts in the passwd file …


Continue reading