Back to Posts

Private-i

Posted in Pentesting

 Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Linux PrivEsc Private-i

Linux Private-i is a custom enumeration tool to assist in privilege escalation by automating tasks. This post is a simple quick overview, checkout the github repo to clone.

https://github.com/rtcrowley/linux-private-i

Private-i automates a majority of the basic enumeration steps and spits them out in an easy to read format. Using other popular enumeration and privesc scripts can be too cumbersome and sometimes bogus. The goal of this app is to make it quick, easy and readable.

Private-i gives the user a few nifty options to choose from. Terminal output is in color to help readability - although different in this example due to markdown syntax highlighting.

Usage is simple…

bob@victim:/opt/linux-private-i# ./private-i.sh 
----------------------------------------------------------------------
----------------------Linux PrivEsc Private-i-------------------------
----------------------------------------------------------------------
1) Full Scope		- Non-Targeted approach with verbose results
2) Quick Canvas		- Brief System Investigation
3) Sleuths Special	- Search for unique perms, sensitive files, passwords, etc
4) Kernel Tip-off	- Lists possible Kernel exploits
5) Exit
Selection: 

To clone use…

git clone https://github.com/rtcrowley/linux-private-i.git


Example output for Option : Quick Canvas..the color will be different in terminal of course…

----------------------------------------------------------------------
----------------------Linux PrivEsc Private-i-------------------------
----------------------------------------------------------------------
1) Full Scope		- Non-Targeted approach with verbose results
2) Quick Canvas		- Brief System Investigation
3) Sleuths Special	- Search for unique perms, sensitive files, passwords, etc
4) Kernel Tip-off	- Lists possible Kernel exploits
5) Exit
Selection: 2
----------------------------------------------------------------------
         ____   _____
   _..-'     'Y'      '-.
    \ Dossier: | ~~ ~ ~  /    Running Quick Canvas
    \  LINUX   | ~ ~ ~~ //
     \ _..---. |.--.._ //
----------------------------------------------------------------------
--------------------------Basic OS info------------------------------
Kali GNU/Linux Rolling
4.16.0-kali2-amd64
root
uid=0(root) gid=0(root) groups=0(root)
--------------------------Networking---------------------------------
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 5t80::a31:27ee:vg514:3jj8  prefixlen 64  scopeid 0x20<link>
        ether 02:40:21:74:6y:b8  txqueuelen 1000  (Ethernet)

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.28.128.7  netmask 255.255.255.0  broadcast 172.28.128.255
        inet6 fe80::a00:27ff:fe85:4f9  prefixlen 64  scopeid 0x20<link>
        ether 03:03:17:88:24:f5  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
----------------------------------------------------------------------
TCP and UDP....
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      585/postgres        
tcp6       0      0 ::1:5432                :::*                    LISTEN      585/postgres        
tcp6       0      0 :::80                   :::*                    LISTEN      790/apache2         
tcp6       0      0 ::1:5432                ::1:50804               ESTABLISHED 1944/postgres: 10/m 
tcp6       0      0 ::1:5432                ::1:50802               ESTABLISHED 1925/postgres: 10/m 
tcp6       0      0 ::1:50800               ::1:5432                ESTABLISHED 1864/ruby           
tcp6       0      0 ::1:5432                ::1:50800               ESTABLISHED 1882/postgres: 10/m 
tcp6       0      0 ::1:50804               ::1:5432                ESTABLISHED 1864/ruby           
tcp6       0      0 ::1:50802               ::1:5432                ESTABLISHED 1864/ruby           
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:postgresql    0.0.0.0:*               LISTEN     
tcp6       0      0 localhost:postgresql    [::]:*                  LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
-----------------File, Directory and App Quick Checks-----------------
Vital checks
[-] - /etc/shadow is neither world readable nor writable
[-] - /etc/sudoers is neither world readable nor writable
[-] - Mail in /var/mail/ is neither world readable nor writable
[+] - Found something in /etc/ that's World-Writable
-rwxrwxrwx 1 root root 0 Jun 14 18:32 /etc/test.conf
Log Detection
[-] - syslog is neither world readable nor writable
[-] - auth.log is neither world readable nor writable
[-] - messages is neither world readable nor writable
Quick App Research
[+] - Samba is installed
[+] - Perl is installed
[+] - Ruby is installed
[+] - Python is installed
[+] - Netcat is installed

That’s it - very straightforward.

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Droplet Domain Setup