unix-privesc-check

Overview

unix-privesc-check is a shell script that performs automated security auditing of Unix and Linux systems to identify potential privilege escalation vulnerabilities and misconfigurations. It checks for common weaknesses that could allow unprivileged users to gain root or elevated privileges, including insecure file permissions, weak sudo configurations, vulnerable SUID binaries, and misconfigured system services. This tool is essential for security professionals validating system hardening and identifying privilege escalation paths.

Note: Run on systems you own or have explicit authorization to test. Privilege escalation testing is strictly regulated and requires proper authorization.

Installation

Linux/Unix Installation

# Download from GitHub
git clone https://github.com/sleventyeleven/unix-privesc-check.git
cd unix-privesc-check

# Make executable
chmod +x unix-privesc-check

# Run directly
./unix-privesc-check standard

Alternative Methods

# Direct download
wget https://raw.githubusercontent.com/sleventyeleven/unix-privesc-check/master/unix-privesc-check
chmod +x unix-privesc-check

# Or via package manager (if available)
apt-get install unix-privesc-check

# Debian/Ubuntu
sudo apt-get install unix-privesc-check

# Kali Linux (pre-installed)
unix-privesc-check standard

Verification

# Check installation
./unix-privesc-check -h

# Verify script integrity
file ./unix-privesc-check
head -n 1 ./unix-privesc-check  # Should show #!/bin/sh

Basic Usage

Command	Description
unix-privesc-check standard	Run standard privilege escalation checks
unix-privesc-check detailed	Run all checks including detailed analysis
unix-privesc-check help	Display help and available options
unix-privesc-check version	Show script version

Common Check Modes

Standard Security Audit

# Run standard privilege escalation checks
./unix-privesc-check standard

# Standard mode with output file
./unix-privesc-check standard > privesc_report.txt

# Detailed output with timestamp
./unix-privesc-check standard > privesc_check_$(date +%Y%m%d_%H%M%S).txt

Comprehensive Detailed Analysis

# Run all available checks
./unix-privesc-check detailed

# Detailed mode with file output
./unix-privesc-check detailed > detailed_audit.txt

# Combine standard and detailed
./unix-privesc-check standard > standard.txt
./unix-privesc-check detailed > detailed.txt

Privilege Escalation Checks

File Permission Vulnerabilities

# Check for world-writable files in critical directories
./unix-privesc-check standard | grep -i "world"

# Identify SUID binaries
./unix-privesc-check standard | grep -i "suid"

# Find writable /etc/ files
./unix-privesc-check detailed | grep -i "/etc"

Common file permission issues detected:

• World-writable files in sensitive directories
• Insecure permissions on /etc/passwd or /etc/shadow
• Writable SUID binaries
• Weak permissions on home directories

Sudo Configuration Analysis

# Check for sudoers misconfigurations
./unix-privesc-check standard | grep -i "sudo"

# Identify NOPASSWD sudo entries
./unix-privesc-check detailed | grep -i "nopasswd"

# Check for command wildcards in sudoers
./unix-privesc-check detailed | grep "\*"

SUID/SGID Binary Detection

# Find all SUID binaries
./unix-privesc-check standard | grep -i "suid"

# Identify dangerous SUID programs
./unix-privesc-check detailed | grep -E "find|chmod|chown|cp|mv|tar"

# Check for potentially exploitable SGID binaries
./unix-privesc-check detailed | grep -i "sgid"

Service and Process Vulnerabilities

# Check running services for privilege escalation
./unix-privesc-check standard | grep -i "service"

# Identify processes running as root
./unix-privesc-check detailed | grep "root"

# Check for vulnerable service configurations
./unix-privesc-check detailed | head -n 50

Detailed Check Categories

Installed Packages Analysis

# Check for outdated/vulnerable packages
./unix-privesc-check detailed | grep -i "package"

# Identify weak dependencies
./unix-privesc-check standard | grep -E "lib|depend"

Network Service Audit

# Check listening services
./unix-privesc-check standard | grep -i "listen"

# Identify unencrypted services
./unix-privesc-check detailed | grep -E "telnet|ftp|http"

# Review open ports
./unix-privesc-check standard | grep -E "port|service"

User and Group Review

# Check user accounts and privileges
./unix-privesc-check detailed | grep -i "user"

# Identify group memberships
./unix-privesc-check standard | grep -i "group"

# Review UID/GID anomalies
./unix-privesc-check detailed | grep -E "uid|gid"

Advanced Usage Patterns

Automated Reporting

# Generate comprehensive audit report
REPORT_DATE=$(date +%Y%m%d_%H%M%S)
./unix-privesc-check detailed > report_${REPORT_DATE}.txt

# Create summary report
echo "=== Unix Privilege Escalation Check ===" > summary.txt
echo "Date: $(date)" >> summary.txt
./unix-privesc-check standard >> summary.txt

Baseline Comparison

# Create baseline from secure system
./unix-privesc-check detailed > baseline.txt

# Compare against new audit
./unix-privesc-check detailed > current.txt
diff baseline.txt current.txt | grep "^<"

Filtered Output Analysis

# Show only warnings/alerts
./unix-privesc-check detailed | grep -i "warning\|alert\|vulnerable\|insecure"

# Extract critical findings
./unix-privesc-check standard | grep -E "critical|high|severe"

# Check specific vulnerability types
./unix-privesc-check detailed | grep -i "world.writable\|unprotected"

System Hardening Validation

File System Permissions

# Validate critical file permissions
./unix-privesc-check detailed | grep "/etc/passwd"
./unix-privesc-check detailed | grep "/etc/shadow"
./unix-privesc-check detailed | grep "/etc/sudoers"

# Check home directory permissions
./unix-privesc-check detailed | grep -E "^/home|^/root"

Authentication Review

# Check password policy enforcement
./unix-privesc-check standard | grep -i "password"

# Review authentication methods
./unix-privesc-check detailed | grep -i "auth"

# Verify PAM configuration
./unix-privesc-check detailed | grep -i "pam"

Sudo Hardening Check

# Validate sudoers configuration
./unix-privesc-check standard | grep -i "sudo"

# Check for dangerous sudo rules
./unix-privesc-check detailed | grep -E "NOPASSWD|ALL"

# Review sudo logging
./unix-privesc-check detailed | grep -i "audit\|log"

Integration with Security Tools

Workflow with LinPEAS

# Use unix-privesc-check for quick assessment
./unix-privesc-check standard > quick_check.txt

# Follow up with detailed LinPEAS analysis
./linpeas.sh > linpeas_detailed.txt

# Compare findings
diff quick_check.txt linpeas_detailed.txt

Chaining with Metasploit

# Identify privilege escalation vectors
./unix-privesc-check detailed > privesc_vectors.txt

# Import findings into Metasploit
msfconsole -x "db_import privesc_vectors.txt"

Automated Remediation

#!/bin/bash
# Run check and capture critical issues
./unix-privesc-check standard > current_audit.txt

# Identify and fix common issues
if grep -q "world.writable" current_audit.txt; then
  echo "Found world-writable files - remediation needed"
fi

if grep -q "NOPASSWD" current_audit.txt; then
  echo "Found NOPASSWD sudo entries - review sudoers"
fi

Common Vulnerability Patterns

World-Writable Files

# Detect world-writable critical files
./unix-privesc-check detailed | grep -i "world.writable"

# Common vulnerable locations
find / -type f -perm -002 2>/dev/null | head -20

# Remediation
chmod o-w /path/to/file

SUID Abuse Vectors

# Identify exploitable SUID binaries
./unix-privesc-check standard | grep -E "find|nmap|perl|python"

# Check for compiled SUID exploits
./unix-privesc-check detailed | grep "binary\|compiled"

# Verify SUID binary functionality
ls -la /usr/bin/*

Weak Sudo Configuration

# Check for sudo misconfigurations
./unix-privesc-check standard | grep "sudo"

# Example dangerous config (detected by script)
# User may run as root without password
# /etc/sudoers: ALL=(ALL) NOPASSWD: ALL

# Remediation approach
sudo visudo  # Edit sudoers properly

Privilege Escalation Remediation

Address Identified Issues

# After running unix-privesc-check
./unix-privesc-check detailed > vulnerabilities.txt

# Fix world-writable files
chmod 644 /path/to/world-writable-file

# Review and correct sudoers
sudo visudo

# Remove unnecessary SUID bits
sudo chmod u-s /usr/bin/vulnerable-binary

Hardening Recommendations

# Implement principle of least privilege
chmod 640 /etc/shadow
chmod 644 /etc/passwd

# Restrict sudo access
# Limit to specific commands
# Remove NOPASSWD entries
# Enable sudo logging

# Monitor file changes
aide --init
aide --check

Scheduled Auditing

Automated Regular Checks

#!/bin/bash
# crontab entry for daily privilege escalation checks
# 0 2 * * * /path/to/unix-privesc-check detailed > /var/log/privesc_$(date +\%Y\%m\%d).txt

# Create monitoring script
cat > /usr/local/bin/privesc-monitor.sh <<'EOF'
#!/bin/bash
AUDIT_DIR="/var/log/privesc-audits"
mkdir -p $AUDIT_DIR
/path/to/unix-privesc-check detailed > $AUDIT_DIR/check_$(date +%Y%m%d_%H%M%S).txt
EOF

chmod +x /usr/local/bin/privesc-monitor.sh

Continuous Monitoring

#!/bin/bash
# Create baseline
./unix-privesc-check detailed > baseline.txt

# Periodic comparison
while true; do
  ./unix-privesc-check detailed > current.txt
  
  if ! diff -q baseline.txt current.txt > /dev/null; then
    echo "Changes detected at $(date)"
    diff baseline.txt current.txt
  fi
  
  sleep 86400  # Run daily
done

Performance Considerations

Quick Scan for Initial Assessment

# Fast initial scan
./unix-privesc-check standard

# Typical output: seconds to complete
# Checks essential privilege escalation vectors
# Good for rapid security assessment

Comprehensive Analysis

# Detailed scan with full analysis
./unix-privesc-check detailed

# May take several minutes
# Comprehensive coverage of all check categories
# Suitable for thorough security audits

Custom Check Focus

# Run standard then grep for specific area
./unix-privesc-check standard | grep "sudo"
./unix-privesc-check detailed | grep "suid"
./unix-privesc-check detailed | grep "world"

Troubleshooting

Script Execution Issues

# Ensure proper permissions
chmod +x unix-privesc-check

# Run with explicit interpreter
sh unix-privesc-check standard

# Check for bash-specific syntax
bash unix-privesc-check standard

Missing Checks

# Verify script version
head -n 20 unix-privesc-check

# Update to latest version
git clone https://github.com/sleventyeleven/unix-privesc-check.git
cd unix-privesc-check
./unix-privesc-check standard

Permission Denied Errors

# Some checks require elevated privileges
sudo ./unix-privesc-check detailed

# Alternative: capture errors separately
./unix-privesc-check standard 2> errors.txt > output.txt

# Review error output
cat errors.txt

Best Practices

Pre-Assessment Preparation

# Verify system access and permissions
whoami
id

# Check available disk space for reports
df -h

# Create audit directory
mkdir -p /var/log/security-audits

Documentation and Reporting

# Document scan parameters
echo "System: $(hostname)" > scan_summary.txt
echo "Date: $(date)" >> scan_summary.txt
echo "User: $(whoami)" >> scan_summary.txt

# Run comprehensive check
./unix-privesc-check detailed >> scan_summary.txt

# Archive results
tar -czf audit_$(date +%Y%m%d).tar.gz scan_summary.txt

Remediation Tracking

# Document findings
./unix-privesc-check standard > findings_$(date +%Y%m%d).txt

# Create remediation plan
cat > remediation_plan.txt <<'EOF'
Finding: World-writable /tmp
Severity: Medium
Remediation: chmod 1777 /tmp
Verified: [Pending]
EOF

# Verify fixes
./unix-privesc-check standard > findings_post_remediation.txt
diff findings_pre.txt findings_post.txt

Legal and Compliance

Always ensure proper authorization before running privilege escalation audits. Document:

• Written approval from system owner
• Audit scope and authorized systems
• Testing date and personnel
• Findings and remediation status
• Compliance with security policies

Use unix-privesc-check only in authorized security testing environments with proper documentation and approval.