# Enumerating Attack Vectors ## **Helpful Tools** 1. 2. 3. 4. *** ## **Processes and Jobs** | Command | Description | | ----------------------------- | ---------------------------------------------------------------------------- | | `ps aux \| grep root` | See processes running as root | | `./pspy64 -pf -i 1000` | View running processes with `pspy` | | `ls -la /etc/cron.daily` | Check for daily Cron jobs | | `grep "CRON" /var/log/syslog` | Enumerate cron jobs | | `lpstat` | Look for active or queued print jobs to gain access to sensitive information | ## **Kernel and OS** | Command | Description | | ---------------------- | ------------------------------------------------------------ | | `hostname` | Check the hostname (useful to ensure the target is in scope) | | `uname -a` | Check the Kernel version | | `cat /proc/version` | Check the Kernel version | | `cat /etc/lsb-release` | Check the OS version | | `cat /etc/os-release` | Check the OS version | | `cat /etc/issue` | May contain information about the system version and release | | `lscpu` | Gather additional information about the host | | `sudo -V` | Check sudo version | ## **User-Related** | Command | Description | | ------------ | ----------------------------------------------- | | `echo $PATH` | Check the current user's PATH variable contents | | `ps au` | See logged in users | | `history` | Check the current user's Bash history | | `whoami` | Check what user we are running as | | `id` | Check what groups we belong to | | `sudo -l` | Can the user run anything as another user? | ## **Network Related** | Command | Description | | ---------------------- | -------------------------------------------------------------------------------------------------------------- | | `ip -a` | Check network interfaces | | `ipconfig` | Check network interfaces | | `hostname -I` | Display all IP addresses related to the host | | `cat /etc/hosts` | Check for potential interesting hosts | | `route` | Check out the routing table to see what other networks are available via which interface | | `netstat -rn` | Check out the routing table to see what other networks are available via which interface | | `arp -a` | Check the arp table to see what other hosts the target has been communicating with | | `cat /etc/resolv.conf` | Check if the host is configured to use internal DNS → Starting point to query the Active Directory environment | | `ss -tulpn` | Check listening services on both TCP and UDP ports | | `netstat -tulpn` | Check listening services on both TCP and UDP ports | | `ss -anp` | Display active connections and listening ports | ## **Finding Interesting Files and Directories**
CommandDescription
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/nullFind all accessible history files
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/nullFind world-writeable directories
find / -type d -name ".*" -ls 2>/dev/nullFind all hidden directories
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/nullFind all hidden files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/nullFind world-writeable files
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullFind binaries with SUID bit set
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/nullFind binaries with SGID bit set
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;Enumerate binary files capabilities
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/nullSearch config files
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/nullSearch config files
find / -type f -name "*.sh" 2>/dev/null \| grep -v "src\|snap\|share"Find .sh scripts
grep -r "word" /starting-pathResursively inspect file contents to find instances of "word":
ls -l /tmp /var/tmp /dev/shmFind temporary files
## Enumerating SUID binaries **SUID** is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal `x` which represents execute permissions, you will see an `s` (to indicate **SUID**) special permission for the user. Obviously, for a quick win, you want to find SUID binaries having the `root` user as the file's owner. HackTricks has a [page](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/euid-ruid-suid) where more info about this topic is explained. You can `find` SUID binaries in many ways, the following are some example commands: * `find / -perm -4000 2>/dev/null` * `find / -perm /4000 2>/dev/null` * `find / -perm /u+s 2>/dev/null` * `find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/linux-privilege-escalation/enumerating-attack-vectors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.