Privilege Escalation - Linux Enumeration


cat /etc/passwd # list of all users




cat /etc/issue # OS version
cat /etc/*-release # extendent OS version
uname -a # kernel and architecture

Running Processes and Services

Look for processes that might be vulnerable and are run by a privileged user, e.g. VGAuthService

ps axu # a - all; x - with/without tty; u - user readable format

Networking Information

ifconfig -a # list all network interfaces
ip a # list all network interfaces
/sbin/route # display network routing tables (/sbin/routel depending on the Linux flavor and version)
ss -anp # list network connections
sudo netstat -tulpn

Firewall Status and Rules

iptables # but only for a privileged user
# check in /etc/ for files that contain iptable rules dumped by iptable-save or /etc/iptables which contains rules restored by netfilter at boot time 

Scheduled Tasks

cat /etc/crontab # most of those will run as root so check if there are any files you can put your hands on
# also check /etc/cron* folders for anything interesting

grep "CRON" /var/log/cron.log

Installed Applications and Patch Levels

dpkg -l # list of installed software for debian distro; rpm for redhat distro

Readable/Writable Files and Directories

find / -writable -type d 2>/dev/null # get all writable files and directories; erros go to /dev/null

Unmounted Disks

mount # lists all mounted filesystems
cat /etc/fstab # list all drives that will be mounted at boot time
lsblk # view all available disks

Device Drivers and Kernel Modules

lsmod # enumerates the loaded kernel modules
/sbin/modinfo <name> # more about a specific modules from lsmod

Binaries That Auto Elevate

Similar on Linux: look for files with SUID permissions, which means that anyone can execute with root permissions:

# find all SUID-marked binaries
find / -perm -u=s -type f 2>/dev/null



Extended capabilities:

getcap -r / 2>/dev/null


import os

Use Unix Privesc Check

./unix-privesc-check standard > output.txt # check links for downloads


Linux Smart Enumeration

./ -l 1 -i # try with -l 2