🖥️
Offensive security concepts
  • Introduction
  • 💿Virtualbox network setup
    • What is VirtualBox?
    • NAT
    • NAT network
    • Bridged adapter
    • Internal network
    • pfSense
    • vboxmanage
    • Overview
  • 🕵️OSINT
    • What is OSINT?
    • Google dorks
    • Metadata
    • Social media
      • osintagram
  • Tools
    • waybackurls
    • recon-ng
    • sherlock
    • maltego
    • theHarvester
    • photon
  • 😨Social Engineering
    • What is social engineering?
    • 7 tricks of social engineering
    • Email phishing
    • Typosquatting
    • Compiled resources
  • 😈MitM attack
    • What is MitM attack?
    • ARP spoof/poison
    • DNS spoof/poison
    • HTTP MitM attack
    • ICMP redirect attack
    • DHCP spoofing
    • Evil twin attack
    • Experiment (guest network)
    • Compiled resources
  • 🔌UPnP exploitation
    • What is UPnP?
    • What is SSDP?
    • IGD functions
    • LAN devices
    • Compiled resources
  • Network Reconnaissance & Attacks
    • What is network recon & attacks?
  • 1️⃣Network live host discovery
    • What is network live host discovery?
    • nmap
    • arp-scan
    • masscan
  • 2️⃣Network port scan/services enumeration
    • What is network port scan/services enumeration?
    • nmap
    • netcat
  • 3️⃣Network services vulnerability scanning & exploitation
    • What is network vulnerability scanning/exploitation?
    • 20/21 ~ FTP
    • 22 ~ SSH
    • 25 ~ SMTP
    • 53 ~ DNS
    • 80/443 ~ HTTP/HTTPS
    • 110 ~ POP3
    • 111/2049 ~ RPC/NFS
    • 139/445 ~ SMB
    • 143 ~ IMAP
    • 3389 ~ RDP
  • Vulnerability & exploitation
    • Database
    • Metasploit
    • Msfvenom
  • Misconfigurations
    • .DS_Store
  • Web Application Penetration Testing
    • Introduction
    • Web Content Discovery
      • Directories/URLs gathering
      • Subdomain enumeration
    • File inclusion & Path traversal
    • Insecure Direct Object Reference (IDOR)
    • Upload vulnerabilities
      • File extension cheat-sheet
    • SSRF
    • CSRF
    • XSS
    • SSTI
    • SQL injection
      • Filter evasion techniques
      • Practical challenge examples
        • TryHackMe
          • TryHackMe Burp suite: Repeater room
          • TryHackMe Advanced SQL Injection
  • Authentication/session management
    • OWASP WSTG-SESS-10 ~ JSON Web Token (JWT)
    • OWASP WSTG-ATHZ-05 ~ OAuth weaknesses
  • Webshell
  • Web API pentesting
    • Resources
    • Methodology
    • jq
    • httpx
    • ParamSpider
  • Web app pentesting methodology
  • OWASP
    • OWASP top 10
    • OWASP API top 10
    • Web Security Testing Guide (WSTG)
      • WSTG-ATHZ
        • WSTG-ATHZ-05 ~ OAuth weaknesses
      • WSTG-SESS
        • WSTG-SESS-10 ~ JWT
  • General web knowledge
    • URI standard (RFC 3986)
    • HTTP headers
  • 🛣️Attacks on routing protocols
    • What are attacks on routing protocols?
    • BGP hijacking
  • 🏕️To explore
    • MQTT
    • Routersploit
    • DNS rebinding attack
    • LLMNR/mDNS poisoning
  • 👤Anonymity
    • VPN
    • Proxychains
    • TOR
    • Obfuscation
  • Credentials brute-force/cracking
    • Introduction
    • Windows SAM database
    • Dictionary attack
    • Rainbow attack
      • Hash database
    • Tools
      • Hydra
      • John the ripper
      • Hashcat
      • hash-identifier
  • Post-exploitation
    • Gaining shell
      • netcat
      • socat
      • powershell
      • bash
      • PHP
    • Repository
  • Privilege escalation
    • Linux
      • Repositories
      • Enumeration
      • Vulnerabilities exploit
        • General
        • Kernel exploit
        • Sudo
        • SUID
        • Capabilities
        • Cronjobs
        • $PATH
        • NFS (target-machine)
        • Filesystem sharing
          • NFS (attacker-machine)
    • Windows
      • Password harvesting
      • Vulnerabilities exploit
        • Scheduled tasks
        • AlwaysInstallElevated
        • Service misconfigurations
          • Insecure permissions on service executable
          • Unquoted service path
          • Insecure service permission
        • Abusing privileges
  • Ⓜ️MITRE ATT&CK
    • Introduction
  • 🧰Tools/services
    • Introduction
    • Web application pentesting
      • Web discovery/fuzzing
        • paramspider
        • arjun
        • katana
      • uro
      • Password brute-forcing
      • Burp Suite (Community)
      • scanners
        • ZAP (Zed Attack Proxy)
        • nikto
        • nuclei
    • Information gathering/reconnaissance
    • Network recon & attacks
      • nmap (general overview)
      • scapy
      • bettercap
    • General
      • impacket
    • Wordlists
      • cewl
  • Professional report writing
    • Report template
      • Web applicaton pentesting
        • OWASP report layout
  • Tasks on-the-go
    • Note taking on-the-go
    • Other tips
  • Practice
    • Web Application Pentesting
      • OWASP
        • OWASP Juice Shop
        • OWASP Mutillidae II
        • OWASP Hackademic
      • Vulnhub
        • ...
      • Damn Vulnerable Web Application (DVWA)
    • Metasploitable 2
  • Operational Security (OpSec)
    • Hardening
      • General
      • Oracle VirtualBox
      • Web Browser
      • VPN/Proxy
  • Safe document viewer
    • PDF
    • .docx
  • Write-ups
    • TryHackMe
      • Silver Platter
      • Light
      • Pickle Rick
      • Hammer
        • Enumeration (active recon)
          • /hmr
          • Further directory discovery
          • /phpmyadmin
          • burp suite sitemap
        • Brute forcing 4-digit code
        • Retrieving the flag
      • OWASP Top 10 - 2021 (task 22)
      • sqlmap
    • OverTheWire
      • Untitled
    • OWASP
      • OWASP Juice Shop
      • OWASP WebGoat
  • AI prompt
    • ChatGPT
Powered by GitBook
On this page
  • Basic enumeration commands (Linux)
  • Automated tools
  1. Privilege escalation
  2. Linux

Enumeration

Basic enumeration commands (Linux)

  1. hostname

  2. uname -a

  3. Files to view with the cat command

a) /proc/version

b) /etc/issue

c) /etc/passwd and /etc/shadow

  • Readable /etc/shadow file

  • Writable /etc/passwd and /etc/shadow

# rx /etc/passwd
$ ls -l /etc/passwd
-rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/passwd

# rx /etc/shadow
$ ls -l /etc/shadow
-rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/shadow

  1. env

  2. id

Suppose a user is in the adm group. This user will be able to read the log files present in the /var/log or other related folder:

$ id
... ...(adm)

$ cd /var/log
/var/log$ less syslog

  1. history

  2. sudo -l

The target system may be configured to allow users to run some (or all) commands with root privileges. The sudo -l command can be used to list all commands your user can run using sudo

  1. find

a) Files with SUID bit: 

$ find / -perm -u=s -type f 2>/dev/null

# SUID bit and writable by current user
$ find / -perm -u=s -writable -user $(whoami) -type f 2>/dev/null

#  SUID bit and writable by others
find / -perm -u=s -perm 002 -type f  2>/dev/null

b) Files with SGID bit:

$ find / -perm -g=s-type f 2>/dev/null

# SGID bit and the group is root
$ find / -perm -g=s -group root -type f 2>/dev/null

c) Files with certain permission

  • 0777: readable, writable and executable by all users

  • 003: writable and executable by others. Ignoring permissions for owner and group

  • /001: atleast executable permissions for others

# both the commands below are the same
$ find / -perm 777 -type f 2>/dev/null
$ find / -perm 0777 -type f 2>/dev/null

# eg. files with write and execute (wx) permissions for "others"
$ find / -perm 003 -type f 2>/dev/null

# eg. similar to above, but with folders/dirs instead
$ find / -perm 003 -type d 2>/dev/null

# eg. atleast executable by others
$ find / -perm /001 -type f 2>/dev/null

Find world-writable folders

$ find / -writable -type d 2>/dev/null 
$ find / -perm -222 -type d 2>/dev/null
$ find / -perm -o x -type d 2>/dev/null

Find world-executable folders

$ find / -executable -type d 2>/dev/null 
$ find / -perm -111 -type d 2>/dev/null
$ find / -perm -o x -type d 2>/dev/null

Files to look out for

  2. Writable /etc/systemd/system , /lib/systemd/services, /usr/lib/systemd/system, /run/systemd/system (systemd services) and other similar directories

Automated tools

PreviousRepositoriesNextVulnerabilities exploit

Last updated 22 days ago

Practical example:

Writable /etc/fstab ()

LinPeas:

LinEnum:

LES (Linux Exploit Suggester):

Linux Smart Enumeration:

Linux Priv Checker:

https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/write-ups/tryhackme/silver-platter
https://jarrettgxz-sec.gitbook.io/offensive-security-concepts/privilege-escalation/linux/vulnerabilities-exploit/filesystem-sharing/nfs-attacker-machine
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
https://github.com/rebootuser/LinEnum
https://github.com/mzet-/linux-exploit-suggester
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/linted/linuxprivchecker
TryHackMeTryHackMe
Logo