Skip to content

Privesc

  • Collect Enumerate all possibilities
  • Process Sort data and priorisation
  • Search Search how to exploit vulns
  • Adapt Customize the exploits
  • Try Trial and error again and again

Enumeration

OS / Kernel

Detect distribution name and version

Text Only
cat /etc/issue
cat /etc/*-release

# Debian based
cat /etc/lsb-release
# Redhat based    
cat /etc/redhat-release

Detect kernel version and architecture

Bash
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

Variables / Secrets

Detect variables

Bash
# Shell variables
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

# Env variables
printenv
env
set

Detect username and password in files

Bash
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Applications & Services

Detect user services

Bash
ps aux
ps -ef
top
cat /etc/services

Detect root services

Bash
ps aux | grep root
ps -ef | grep root

Detect installed applications

Bash
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Detect scheduled jobs

Bash
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Misc

Detect printer

Bash
lpstat -a

List all commands available from current user

Bash
sudo -l