Information gathering (linux)
Automated Enumeration Tools
- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- LinEnum: https://github.com/rebootuser/LinEnum
- LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
- Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
- Linux Priv Checker: https://github.com/linted/linuxprivchecker
- unix_privesc_check: https://pentestmonkey.net/tools/audit/unix-privesc-check
Host
System Information
os info Let's starting gaining some knowledge of the OS running
kernel version arch path If you have written permissions on any folder inside the PATH variable you may be able to hijacking some libraries or binaries: env info Interesting information, passwords or API keys in the environment variables? list mounted drives kernel exploits Check the kernel version and if there is some exploit that can be used to escalate privilegesUseful software
enumerate useful binaries
which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 python3.9 python3.10 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")
vulnerable software installed Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges… It is recommended to check manually the version of the more suspicious installed software.
If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some application like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits
User
user information
all users user groups user historyhistory
cat /home/$USER/.bash_history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less
Cron
scheduled task
file permissions logProcesses
list process Take a look to what processes are being executed and check if any process has more privileges than it should (maybe a tomcat being executed by root?)
Services
service
sudo systemctl start apache2
sudo systemctl status apache2
sudo systemctl restart apache2
sudo systemctl stop apache2
sudo systemctl enable apache2 # autostart on boot time
systemctl list-unit-files # list all services
service settings, there is any wrong allocation?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/
Installed Applications
application (debina)
Readable/Writable Files and Directories
- -d directoriesNetwork
TCP/IP configuration
open ports routing tables active network connections firewallDisks
enumeration all disks
Device Drivers and Kernel Modules
enumerate the loaded kernel modules
use modinfo to find out more about the specific module