Information gathering

Host

hostname

System Information

os info Let's starting gaining some knowledge of the OS running

cat /etc/issue
cat /etc/*-release

kernel version

uname -a

arch

arch

cat /proc/version
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz

path If you have written permissions on any folder inside the PATH variable you may be able to hijacking some libraries or binaries:

echo $PATH

env info Interesting information, passwords or API keys in the environment variables?

(env || set) 2>/dev/null

list mounted drives

cat /proc/mounts

mount

df -aTh

findmnt

kernel exploits Check the kernel version and if there is some exploit that can be used to escalate privileges

cat /proc/version
uname -a
searchsploit "Linux Kernel"

User and groups

user information

id
whoami
users

- The account NT AUTHORITY\System which is a Local System account. It is a powerful account that has unrestricted access to all local system resources. It is a member of the Windows Administrators group on the local computer, all users

cat /etc/passwd

user groups

groups

user history

history
cat /home/$USER/.bash_history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less

find file by name

find . -name flag.txt

find file owned by user

find <directory-location> -user <username> -name <file-name> 2>/dev/null

find file owned by a group

find <directory-location> -group <group-name> -name <file-name>  2>/dev/null

find file owned by a group (executable)

find <directory-location> -executable -group <group-name>  2>/dev/null

Cron

scheduled task

cat /etc/crontab

crontab -l

ls -la /etc/cron.*
cat /etc/cron.deny
cat /etc/cron.hourly
cat /etc/cron.monthly
cat /etc/cron.weekly

cat /etc/cron*

log

grep "CRON" /var/log/cron.log
grep "CRON" /var/log/* 2>/dev/null

pspy64

pspy64
|->
07:27:49 CMD: | /bin/bash /usr/bin/check-system  <- that mean check-system is executed every second
07:27:50 CMD: | /bin/bash /usr/bin/check-system 
07:27:51 CMD: | /bin/bash /usr/bin/check-system

Processes

list process Take a look to what processes are being executed and check if any process has more privileges than it should (maybe a tomcat being executed by root?)

ps aux

ps -A
ps axjf

Services

service

sudo systemctl start apache2
sudo systemctl status apache2
sudo systemctl restart apache2
sudo systemctl stop apache2
sudo systemctl enable apache2 # autostart on boot time
systemctl list-unit-files # list all services

service settings, there is any wrong allocation?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Network

wire connection

ip a
ifconfig

wireless connection

iwconfig

neighborhood

ip n

arp -a

route

ip r

route
routel

open ports

ss -tulpn

active network connections

ss -anp

- -a - list all connections - -n - avoid hostname resolution - -p - list the process name the connection belongs firewall

grep -Hs iptables /etc/*

Installed Applications

application (debina)

dpkg -l

Useful software

enumerate useful binaries

which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python2.5 python2.6 python2.7 python3 python3.6 python3.7 python3.9 python3.10 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null

Also, check if any compiler is installed. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it (or in one similar)

(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")

vulnerable software installed Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges… It is recommended to check manually the version of the more suspicious installed software.

dpkg -l #Debian
rpm -qa #Centos

If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.

Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some application like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits

Readable/Writable

Files

find / -writable -type f 2>/dev/null | grep -v '/proc' | grep -v '/sys'

-f - files

Directories

find / -writable -type d 2>/dev/null

-d - directories

Disks

lists all mounted

mount

lists all drives that will be mounted at boot time

cat /etc/fstab

view all available disks

/bin/lsblk

Device Drivers and Kernel Modules

enumerate the loaded kernel modules

lsmod

use modinfo to find out more about the specific module

/sbin/modinfo libata

Binaries That AutoElevate

setuid

find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null | less

- / - search at the root directory - -type f - searching for files - -perm -u=s - SUID bit set

Shares

smb
nfs
ftp

Logs and Events

tail -n 10 /var/log/syslog

Automated Enumeration

lin-peas

./linux-peas.sh

unix-privesc-check

./unix-privesc-check.sh standard > unix-privesc-check-standard-output.txt 2>/dev/null
./unix-privesc-check.sh detailed > unix-privesc-check-detailed-output.txt 2>/dev/null

cat unix-privesc-check-standard-output.txt | grep -n 'WARNING'
cat unix-privesc-check-detailed-output.txt | grep -n 'WARNING'

other