Local Privilege Escalation Tips

Author: @Ambulong

Local Privilege Escalation Tips


PHP SESSION

  • phpMyAdmin
  • ownCloud

PHP Disable Functions Bypass

  • Shellshock(CVE-2014-6271)
  • Imagemagick
  • Ghostscript
  • FFmpeg

Port

  • 1099 - Java RMI (Java Deserialization RCE)
  • 2375 - Docker Remote API
  • 6379 - Redis
  • 8161 - ActiveMQ (CVE-2016-3088)
  • 9000 - PHP-CGI/FastCGI RCE
  • 9001 - Supervisord (CVE-2017-11610)
  • 9200 - Elasticsearch
  • 11211 - Memcached
  • 27017 - MongoDB
  • 27018 - MongoDB
  • 27019 - MongoDB

Service

  • Apache Tomcat

PATH

  • PHP SESSION SAVE PATH
    • /tmp
    • /var/lib/php/
    • /var/lib/php5/
    • /var/lib/php/sessions/
    • /var/lib/php5/sessions/
  • NGINX CONFIG
    • /usr/local/nginx/conf/nginx.conf
    • /usr/local/nginx/nginx.conf
    • /etc/nginx/nginx.conf
  • APACHE CONFIG
    • /etc/httpd/conf/httpd.conf
    • /usr/local/apache/conf/httpd.conf
    • /usr/local/apache2/conf/httpd.conf
    • /etc/httpd/conf.d
    • /etc/apache2/conf/httpd.conf
    • /etc/apache2/httpd.conf
    • /etc/apache2/sites-available/000-default.conf
    • /etc/apache2/sites-enabled/000-default.conf
    • /apps/apache/conf/httpd.conf
    • /apps/apache2/conf/httpd.conf
    • /etc/httpd/conf.d/vhosts.conf
  • PHP INI
    • /etc/php.ini
    • /etc/php/7.0/cli/php.ini
    • /etc/php/7.0/fpm/php.ini
    • /etc/php5/apache2/php.ini
    • /etc/php5/cli/php.ini
    • /usr/local/php/etc/php.ini
    • /usr/local/Zend/etc/php.ini
    • /usr/local/php/lib/php.ini
  • OTHER
    • /etc/passwd
    • /etc/shadow
    • /etc/group
    • /etc/gshadow
    • /etc/rc.local
    • /etc/issue
    • /etc/issue.net
    • /proc/version
    • /proc/self/environ
    • /etc/sysconfig/network-scripts/ifcfg-eth0
    • /etc/init.d/httpd
    • /etc/init.d/mysqld
    • /etc/syslog.conf
    • /var/log/yum.log
    • /etc/sysconfig/iptables-config
    • /var/log/cron
    • .bash_history
    • .mysql_history
    • .viminfo
    • /etc/vsftpd/vsftpd.conf
    • /etc/logrotate.d/vsftpd.log