#
Linux Privesc
#
OS, Kernel & Hostname
cat /etc/os-release
cat /etc/issue
cat /proc/version
hostname
uname -a
#
Users
cat /etc/passwd
id
sudo -l
# See user special groups and list files
groups
find / -group management -ls 2>/dev/null
#
Network
netstat -antup
#
Try scanning other ports using netcat
dave@ubuntu:~/Desktop$ nc -nvz 192.168.122.4 1-10000 2>&1 | grep -v failed
Connection to 192.168.122.4 80 port [tcp/*] succeeded!
#
SSH tunnel
Example to create a SSH tunnel and access port 80 in 192.168.122.4
ssh -L 80:192.168.122.4:80 dave@10.10.10.109Now we can access 127.0.0.1:80.
#
Processes Running
ps aux
ps aux | grep root
#
Installed Packages
dpkg -l (Debian)
rpm -qa (Fedora)
#
Find SUID
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
#
World writable scripts invoked as root
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
#
World executable folder
find / -perm -o x -type d 2>/dev/null
#
World writable and executable folders
find / \\( -perm -o w -perm -o x \\) -type d 2>/dev/null
#
Find world-writable files in /etc
find /etc -perm -2 -type f 2>/dev/null
find / -perm -2 -type f 2>/dev/null
#
World-writable directories
find / -writable -type d 2>/dev/null