# Privilege Escalation Tools ## Linux Smart Enumeration (lse.sh) - In addition to being a Bash script (which helps if Python isn't installed), it has multiple levels which gradually reveal more and more information. https://github.com/diego-treitos/linux-smart-enumeration ```bash Use: ./lse.sh [options] OPTIONS -c Disable color -i Non interactive mode -h This help -l LEVEL Output verbosity level 0: Show highly important results. (default) 1: Show interesting results. 2: Show all gathered information. -s SELECTION Comma separated list of sections or tests to run. Available sections: usr: User related tests. sud: Sudo related tests. fst: File system related tests. sys: System related tests. sec: Security measures related tests. ret: Recurren tasks (cron, timers) related tests. net: Network related tests. srv: Services related tests. pro: Processes related tests. sof: Software related tests. ctn: Container (docker, lxc) related tests. cve: CVE related tests. Specific tests can be used with their IDs (i.e.: usr020,sud) -e PATHS Comma separated list of paths to exclude. This allows you to do faster scans at the cost of completeness -p SECONDS Time that the process monitor will spend watching for processes. A value of 0 will disable any watch (default: 60) -S Serve the lse.sh script in this host so it can be retrieved from a remote host. ``` Examples: ```bash $ ./lse.sh $ ./lse.sh -l 1 -i (the -i options prevents it from propmting for a password) $ ./lse.sh -l 2 -i ``` ## LinEnum LinEnum is an advanced Bash script which extracts a large amount of useful information from the target system. It can copy interesting files for export, and search for files containing a keyword (e.g. "password"). https://github.com/rebootuser/LinEnum ```bash /LinEnum.sh: option requires an argument -- h ######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com | @rebootuser # version 0.982 # Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t OPTIONS: -k Enter keyword -e Enter export location -s Supply user password for sudo checks (INSECURE) -t Include thorough (lengthy) tests -r Enter report name -h Displays this help text Running with no options = limited scans/no output file ######################################################### ``` A notable feature is LinEnum's ability to export interesting files. Create a folder for LinEnum to export files to, and search for the word "password" ```bash $ mkdir export $ ./LinEnum.sh -k password -e export -t ``` - In the above example we are using LinEnum to search for the keyword "password" with the -k flag - Exporting to the newly created folder export with the -e flag - Including thorough tests with the -t flag The export directory now contains several files that contain the word "password" you can transfer those files to your local machines for further analysis. ## Additional Tools for Privilege Escalation - https://github.com/linted/linuxprivchecker - https://github.com/AlessandroZ/BeRoot - http://pentestmonkey.net/tools/audit/unix-privesc-check