Enumeration

Basic enumeration commands (Linux)

1. hostname

2. uname -a

3. Files to view with the cat command

a) /proc/version

b) /etc/issue

c) /etc/passwd and /etc/shadow

• Readable /etc/shadow file

• Writable /etc/passwd and /etc/shadow

# rx /etc/passwd
$ ls -l /etc/passwd
-rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/passwd

# rx /etc/shadow
$ ls -l /etc/shadow
-rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/shadow

1. env

2. id

Suppose a user is in the adm group. This user will be able to read the log files present in the /var/log or other related folder:

Practical example: https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/write-ups/tryhackme/silver-platter

$ id
... ...(adm)

$ cd /var/log
/var/log$ less syslog

1. history

2. sudo -l

The target system may be configured to allow users to run some (or all) commands with root privileges. The sudo -l command can be used to list all commands your user can run using sudo

1. find

a) Files with SUID bit:

$ find / -perm -u=s -type f 2>/dev/null

# SUID bit and writable by current user
$ find / -perm -u=s -writable -user $(whoami) -type f 2>/dev/null

#  SUID bit and writable by others
find / -perm -u=s -perm 002 -type f  2>/dev/null

b) Files with SGID bit:

$ find / -perm -g=s-type f 2>/dev/null

# SGID bit and the group is root
$ find / -perm -g=s -group root -type f 2>/dev/null

c) Files with certain permission

• 0777: readable, writable and executable by all users

• 003: writable and executable by others. Ignoring permissions for owner and group

• /001: atleast executable permissions for others

# both the commands below are the same
$ find / -perm 777 -type f 2>/dev/null
$ find / -perm 0777 -type f 2>/dev/null

# eg. files with write and execute (wx) permissions for "others"
$ find / -perm 003 -type f 2>/dev/null

# eg. similar to above, but with folders/dirs instead
$ find / -perm 003 -type d 2>/dev/null

# eg. atleast executable by others
$ find / -perm /001 -type f 2>/dev/null

Find world-writable folders

$ find / -writable -type d 2>/dev/null 
$ find / -perm -222 -type d 2>/dev/null
$ find / -perm -o x -type d 2>/dev/null

Find world-executable folders

$ find / -executable -type d 2>/dev/null 
$ find / -perm -111 -type d 2>/dev/null
$ find / -perm -o x -type d 2>/dev/null

Files to look out for

1. Writable /etc/fstab (https://jarrettgxz-sec.gitbook.io/offensive-security-concepts/privilege-escalation/linux/vulnerabilities-exploit/filesystem-sharing/nfs-attacker-machine)

2. Writable /etc/systemd/system , /lib/systemd/services, /usr/lib/systemd/system, /run/systemd/system (systemd services) and other similar directories

Automated tools

• LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

• LinEnum: https://github.com/rebootuser/LinEnum

• LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester

• Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration

• Linux Priv Checker: https://github.com/linted/linuxprivchecker

Linux Privilege EscalationTryHackMe