Local Linux Enumeration & Privilege Escalation

1.    
2.  
3.      
4.     Local Linux Enumeration & Privilege Escalation
5.      
6.     The following post lists a few Linux commands that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits and I realise these are just the tip of the iceberg in terms of what’s available.
7.      
8.     This will continually be updated with new/useful commands.
9.      
10.      Revision 1.0
11.      
12.     Kernel, Operating System & Device Information:
13.     Command         Result
14.     uname -a        Print all available system information
15.     uname -r        Kernel release
16.     uname -n        System hostname
17.     hostname        As above
18.     uname -m        Linux kernel architecture (32 or 64 bit)
19.     cat /proc/version       Kernel information
20.     cat /etc/*-release      Distribution information
21.     cat /etc/issue  As above
22.     cat /proc/cpuinfo       CPU information
23.     df -a   File system information
24.      
25.      
26.      
27.     Users & Groups:
28.     Command         Result
29.     cat /etc/passwd         List all users on the system
30.     cat /etc/group  List all groups on the system
31.     cat /etc/shadow         Show user hashes – Privileged command
32.     grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     List all super user accounts
33.     finger  Users currently logged in
34.     pinky   As above
35.     users   As above
36.     who -a  As above
37.     w       Who is currently logged in and what they’re doing
38.     last    Listing of last logged on users
39.     lastlog         Information on when all users last logged in
40.     lastlog –u %username%         Information on when the specified user last logged in
41.      
42.      
43.      
44.     User & Privilege Information:
45.     Command         Result
46.     whoami  Current username
47.     id      Current user information
48.     cat /etc/sudoers        Who’s allowed to do what as root – Privileged command
49.     sudo -l         Can the current user perform anything as root
50.      
51.      
52.      
53.     Environmental Information:
54.     Command         Result
55.     env     Display environmental variables
56.     set     As above
57.     echo $PATH      Path information
58.     history         Displays command history of current user
59.     pwd     Print working directory, i.e. ‘where am I’
60.     cat /etc/profile        Display default system variables
61.      
62.      
63.      
64.     Interesting Files:
65.     Command         Result
66.     find / -perm -4000 -type f 2>/dev/null  Find SUID files
67.     find / -uid 0 -perm -4000 -type f 2>/dev/null   Find SUID files owned by root
68.     find / -perm -2000 -type f 2>/dev/null  Find files with GUID bit set
69.     find / -perm -2 -type f 2>/dev/null     Find world-writable files
70.     find / -perm -2 -type d 2>/dev/null     Find word-writable directories
71.     find /home –name *.rhosts -print 2>/dev/null  Find rhost config files
72.     ls -ahlR /root/         See if you can access other user directories to find interesting files  – Privileged command
73.     cat ~/.bash_history     Show the current users’ command history
74.     ls -la ~/.*_history     Show the current users’ various history files
75.     ls -la ~/.ssh/  Check for interesting ssh files in the current users’ directory
76.     ls -la /usr/sbin/in.*   Check Configuration of inetd services
77.     grep -l -i pass /var/log/*.log 2>/dev/null      Check log files for keywords (‘pass’ in this example) and show positive matches
78.     find /var/log -type f -exec ls -la {} \; 2>/dev/null    List files in specified directory (/var/log)
79.     find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null        List .log files in specified directory (/var/log)
80.     find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null      List .conf files in /etc (recursive 1 level)
81.     ls -la /etc/*.conf      As above
82.     find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null       Find .conf files (recursive 4 levels) and output line number where the word password is located
83.     lsof -i -n      List open files (output will depend on account privileges)
84.      
85.      
86.      
87.     Service Information:
88.     Command         Result
89.     ps aux | grep root      View services running as root
90.     cat /etc/inetd.conf     List services managed by inetd
91.     cat /etc/xinetd.conf    As above for xinetd
92.      
93.      
94.      
95.     Jobs/Tasks:
96.     Command         Result
97.     crontab -l -u %username%        Display scheduled jobs for the specified user – Privileged command
98.     ls -la /etc/cron*       Scheduled jobs overview (hourly, daily, monthly etc)
99.     ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null       What can ‘others’ write in /etc/cron* directories
100.     top     List of current tasks
101.      
102.      
103.      
104.     Networking, Routing & Communications:
105.     Command         Result
106.     /sbin/ifconfig -a       List all network interfaces
107.     cat /etc/network/interfaces     As above
108.     arp -a  Display ARP communications
109.     route   Display route information
110.     cat /etc/resolv.conf    Show configured DNS sever addresses
111.     netstat -antp   List all TCP sockets and related PIDs (-p Privileged command)
112.     netstat -anup   List all UDP sockets and related PIDs (-p Privileged command)
113.     iptables -L     List rules – Privileged command
114.     cat /etc/services       View port numbers/services mappings
115.      
116.      
117.      
118.     Programs Installed:
119.     Command         Result
120.     dpkg -l         Installed packages (Debian)
121.     rpm -qa         Installed packages (Red Hat)
122.     sudo -V         Sudo version – does an exploit exist?
123.     httpd -v        Apache version
124.     apache2 -v      As above
125.     apache2ctl (or apachectl) -M    List loaded Apache modules
126.     mysql --version         Installed MYSQL version details
127.     perl -v         Installed Perl version details
128.     java -version   Installed Java version details
129.     python --version        Installed Python version details
130.     ruby -v         Installed Ruby version details
131.     find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)       Locate ‘useful’ programs (netcat, wget etc)
132.     which %program_name% (i.e. nc, netcat, wget, nmap etc)  As above
133.      
134.      
135.      
136.     Common Shell Escape Sequences:
137.     Command         Program(s)
138.     :!bash  vi, vim
139.     :set shell=/bin/bash:shell      vi, vim
140.     !bash   man, more, less
141.     find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;      find
142.     awk 'BEGIN {system("/bin/bash")}'       awk
143.     --interactive   nmap
144.     perl -e 'exec "/bin/bash";'     Perl