Linux Privilege Escalation
Initial Manual Enumeration
Start with the basics by hand, just to get a sense of what system you’re on and in what context.
Users
id || (whoami && groups) 2>/dev/null # Who am I?
grep -vE "nologin|false" /etc/passwd # Users with console
w # Currently login users
last | tail # Login history
File System
pwd # Where am I now?
ls -al # What is in the current folder?
ls -al / # What is in the file system root?
Local File Includes
Proc Files
Under Linux, /proc includes a directory for each running process, including kernel processes, in directories named /proc/PID, where PID is the process number. Each directory contains information about one process, including: /proc/PID/cmdline, the command that originally started the process.
https://en.wikipedia.org/wiki/Procfs
https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/net/fib_trie
/proc/version
/proc/self/environ
/proc/self/cmdline
/proc/<ID>/cmdline
OS & Kernel & Processes
cat /etc/issue
cat /etc/*-release # What OS release is running?
uname -a # Kernel details
lsb_release -a # Backup/alternative option
ps -aux --forest -ww # Show the process forest
Network Basics
# Host resolution
hostname
cat /etc/hosts
# Network interfaces
ip addr show
# Active ports
netstat -punta
Current Environment
echo $PATH
env
Automated Enumeration
In order of favorites
Linux Smart Enumeration (LSE)
git clone https://github.com/diego-treitos/linux-smart-enumeration
./lse.sh -l1
./lse.sh -l2
linpeas
linpeas.sh
LinEnum
git clone https://github.com/rebootuser/LinEnum.git
bash LinEnum.sh
unix-prevesc-check
http://pentestmonkey.net/roots/audit/unix-privesc-check
Manual Enumeration
Coming Soon (there’s a lot)