Local Linux Enumeration & Privilege Escalation


Local Linux Enumeration & Privilege Escalation

The following post lists a few Linux commands that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits and I realise these are just the tip of the iceberg in terms of what’s available.

This will continually be updated with new/useful commands.

 Revision 1.0

Kernel, Operating System & Device Information:
Command     Result
uname -a    Print all available system information
uname -r    Kernel release
uname -n    System hostname
hostname    As above
uname -m    Linux kernel architecture (32 or 64 bit)
cat /proc/version   Kernel information
cat /etc/*-release  Distribution information
cat /etc/issue  As above
cat /proc/cpuinfo   CPU information
df -a   File system information


Users & Groups:
Command     Result
cat /etc/passwd     List all users on the system
cat /etc/group  List all groups on the system
cat /etc/shadow     Show user hashes – Privileged command
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     List all super user accounts
finger  Users currently logged in
pinky   As above
users   As above
who -a  As above
w   Who is currently logged in and what they’re doing
last    Listing of last logged on users
lastlog     Information on when all users last logged in
lastlog –u %username%     Information on when the specified user last logged in


User & Privilege Information:
Command     Result
whoami  Current username
id  Current user information
cat /etc/sudoers    Who’s allowed to do what as root – Privileged command
sudo -l     Can the current user perform anything as root


Environmental Information:
Command     Result
env     Display environmental variables
set     As above
echo $PATH  Path information
history     Displays command history of current user
pwd     Print working directory, i.e. ‘where am I’
cat /etc/profile    Display default system variables


Interesting Files:
Command     Result
find / -perm -4000 -type f 2>/dev/null  Find SUID files
find / -uid 0 -perm -4000 -type f 2>/dev/null   Find SUID files owned by root
find / -perm -2000 -type f 2>/dev/null  Find files with GUID bit set
find / -perm -2 -type f 2>/dev/null     Find world-writable files
find / -perm -2 -type d 2>/dev/null     Find word-writable directories
find /home –name *.rhosts -print 2>/dev/null  Find rhost config files
ls -ahlR /root/     See if you can access other user directories to find interesting files  – Privileged command
cat ~/.bash_history     Show the current users’ command history
ls -la ~/.*_history     Show the current users’ various history files
ls -la ~/.ssh/  Check for interesting ssh files in the current users’ directory
ls -la /usr/sbin/in.*   Check Configuration of inetd services
grep -l -i pass /var/log/*.log 2>/dev/null  Check log files for keywords (‘pass’ in this example) and show positive matches
find /var/log -type f -exec ls -la {} \; 2>/dev/null    List files in specified directory (/var/log)
find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null    List .log files in specified directory (/var/log)
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null  List .conf files in /etc (recursive 1 level)
ls -la /etc/*.conf  As above
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null   Find .conf files (recursive 4 levels) and output line number where the word password is located
lsof -i -n  List open files (output will depend on account privileges)


Service Information:
Command     Result
ps aux | grep root  View services running as root
cat /etc/inetd.conf     List services managed by inetd
cat /etc/xinetd.conf    As above for xinetd


Jobs/Tasks:
Command     Result
crontab -l -u %username%    Display scheduled jobs for the specified user – Privileged command
ls -la /etc/cron*   Scheduled jobs overview (hourly, daily, monthly etc)
ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null   What can ‘others’ write in /etc/cron* directories
top     List of current tasks


Networking, Routing & Communications:
Command     Result
/sbin/ifconfig -a   List all network interfaces
cat /etc/network/interfaces     As above
arp -a  Display ARP communications
route   Display route information
cat /etc/resolv.conf    Show configured DNS sever addresses
netstat -antp   List all TCP sockets and related PIDs (-p Privileged command)
netstat -anup   List all UDP sockets and related PIDs (-p Privileged command)
iptables -L     List rules – Privileged command
cat /etc/services   View port numbers/services mappings


Programs Installed:
Command     Result
dpkg -l     Installed packages (Debian)
rpm -qa     Installed packages (Red Hat)
sudo -V     Sudo version – does an exploit exist?
httpd -v    Apache version
apache2 -v  As above
apache2ctl (or apachectl) -M    List loaded Apache modules
mysql --version     Installed MYSQL version details
perl -v     Installed Perl version details
java -version   Installed Java version details
python --version    Installed Python version details
ruby -v     Installed Ruby version details
find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)   Locate ‘useful’ programs (netcat, wget etc)
which %program_name% (i.e. nc, netcat, wget, nmap etc)  As above


Common Shell Escape Sequences:
Command     Program(s)
:!bash  vi, vim
:set shell=/bin/bash:shell  vi, vim
!bash   man, more, less
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;  find
awk 'BEGIN {system("/bin/bash")}'   awk
--interactive   nmap
perl -e 'exec "/bin/bash";'     Perl