--[ Local Linux Enumeration & Privilege Escalation basics ]

A summary of commands to use
Kernel, Operating System & Device Information:

uname -aPrint all available system information
uname -rKernel release
uname -nSystem hostname
hostnameAs above
uname -mLinux kernel architecture (32 or 64 bit)
cat /proc/versionKernel information
cat /etc/*-releaseDistribution information
cat /etc/issueAs above
cat /proc/cpuinfoCPU information
df -aFile system information

Users & Groups:
cat /etc/passwdList all users on the system
cat /etc/groupList all groups on the system
cat /etc/shadowShow user hashes – Privileged command
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'List all super user accounts
fingerUsers currently logged in
pinkyAs above
usersAs above
who -aAs above
wWho is currently logged in and what they’re doing
lastListing of last logged on users
lastlogInformation on when all users last logged in
lastlog –u %username%Information on when the specified user last logged in

User & Privilege Information:
whoamiCurrent username
idCurrent user information
cat /etc/sudoersWho’s allowed to do what as root – Privileged command
sudo -lCan the current user perform anything as root

Environmental Information:
envDisplay environmental variables
setAs above
echo $PATHPath information
historyDisplays command history of current user
pwdPrint working directory, i.e. ‘where am I’
cat /etc/profileDisplay default system variables

Interesting Files:
find / -perm -4000 -type f 2>/dev/nullFind SUID files
find / -uid 0 -perm -4000 -type f 2>/dev/nullFind SUID files owned by root
find / -perm -2000 -type f 2>/dev/nullFind files with GUID bit set
find / -perm -2 -type f 2>/dev/nullFind world-writable files
find / -perm -2 -type d 2>/dev/nullFind word-writable directories
find /home –name *.rhosts -print 2>/dev/nullFind rhost config files
ls -ahlR /root/See if you can access other user directories to find interesting files  – Privileged command
cat ~/.bash_historyShow the current users’ command history
ls -la ~/.*_historyShow the current users’ various history files
ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory
ls -la /usr/sbin/in.*Check Configuration of inetd services
grep -l -i pass /var/log/*.log 2>/dev/nullCheck log files for keywords (‘pass’ in this example) and show positive matches
find /var/log -type f -exec ls -la {} \; 2>/dev/nullList files in specified directory (/var/log)
find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/nullList .log files in specified directory (/var/log)
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/nullList .conf files in /etc (recursive 1 level)
ls -la /etc/*.confAs above
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/nullFind .conf files (recursive 4 levels) and output line number where the word password is located
lsof -i -nList open files (output will depend on account privileges)

Service Information:
ps aux | grep rootView services running as root
cat /etc/inetd.confList services managed by inetd
cat /etc/xinetd.confAs above for xinetd

crontab -l -u %username%Display scheduled jobs for the specified user – Privileged command
ls -la /etc/cron*Scheduled jobs overview (hourly, daily, monthly etc)
ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/nullWhat can ‘others’ write in /etc/cron* directories
topList of current tasks

Networking, Routing & Communications:
/sbin/ifconfig -aList all network interfaces
cat /etc/network/interfacesAs above
arp -aDisplay ARP communications
routeDisplay route information
cat /etc/resolv.confShow configured DNS sever addresses
netstat -antpList all TCP sockets and related PIDs (-p Privileged command)
netstat -anupList all UDP sockets and related PIDs (-p Privileged command)
iptables -LList rules – Privileged command
cat /etc/servicesView port numbers/services mappings

Programs Installed:
dpkg -lInstalled packages (Debian)
rpm -qaInstalled packages (Red Hat)
sudo -VSudo version – does an exploit exist?
httpd -vApache version
apache2 -vAs above
apache2ctl (or apachectl) -MList loaded Apache modules
mysql --versionInstalled MYSQL version details
perl -vInstalled Perl version details
java -versionInstalled Java version details
python --versionInstalled Python version details
ruby -vInstalled Ruby version details
find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)Locate ‘useful’ programs (netcat, wget etc)
which %program_name% (i.e. nc, netcat, wget, nmap etc)As above

Common Shell Escape Sequences:
:!bashvi, vim
:set shell=/bin/bash:shellvi, vim
!bashman, more, less
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; find
awk 'BEGIN {system("/bin/bash")}'awk
perl -e 'exec "/bin/bash";'Perl