Advertisement
opexxx

Local Linux Enumeration & Privilege Escalation

Jul 16th, 2014
525
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.52 KB | None | 0 0
  1.  
  2. Local Linux Enumeration & Privilege Escalation
  3.  
  4. The following post lists a few Linux commands that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits and I realise these are just the tip of the iceberg in terms of what’s available.
  5.  
  6. This will continually be updated with new/useful commands.
  7.  
  8.  Revision 1.0
  9.  
  10. Kernel, Operating System & Device Information:
  11. Command     Result
  12. uname -a    Print all available system information
  13. uname -r    Kernel release
  14. uname -n    System hostname
  15. hostname    As above
  16. uname -m    Linux kernel architecture (32 or 64 bit)
  17. cat /proc/version   Kernel information
  18. cat /etc/*-release  Distribution information
  19. cat /etc/issue  As above
  20. cat /proc/cpuinfo   CPU information
  21. df -a   File system information
  22.  
  23.  
  24.  
  25. Users & Groups:
  26. Command     Result
  27. cat /etc/passwd     List all users on the system
  28. cat /etc/group  List all groups on the system
  29. cat /etc/shadow     Show user hashes – Privileged command
  30. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     List all super user accounts
  31. finger  Users currently logged in
  32. pinky   As above
  33. users   As above
  34. who -a  As above
  35. w   Who is currently logged in and what they’re doing
  36. last    Listing of last logged on users
  37. lastlog     Information on when all users last logged in
  38. lastlog –u %username%     Information on when the specified user last logged in
  39.  
  40.  
  41.  
  42. User & Privilege Information:
  43. Command     Result
  44. whoami  Current username
  45. id  Current user information
  46. cat /etc/sudoers    Who’s allowed to do what as root – Privileged command
  47. sudo -l     Can the current user perform anything as root
  48.  
  49.  
  50.  
  51. Environmental Information:
  52. Command     Result
  53. env     Display environmental variables
  54. set     As above
  55. echo $PATH  Path information
  56. history     Displays command history of current user
  57. pwd     Print working directory, i.e. ‘where am I’
  58. cat /etc/profile    Display default system variables
  59.  
  60.  
  61.  
  62. Interesting Files:
  63. Command     Result
  64. find / -perm -4000 -type f 2>/dev/null  Find SUID files
  65. find / -uid 0 -perm -4000 -type f 2>/dev/null   Find SUID files owned by root
  66. find / -perm -2000 -type f 2>/dev/null  Find files with GUID bit set
  67. find / -perm -2 -type f 2>/dev/null     Find world-writable files
  68. find / -perm -2 -type d 2>/dev/null     Find word-writable directories
  69. find /home –name *.rhosts -print 2>/dev/null  Find rhost config files
  70. ls -ahlR /root/     See if you can access other user directories to find interesting files  – Privileged command
  71. cat ~/.bash_history     Show the current userscommand history
  72. ls -la ~/.*_history     Show the current users’ various history files
  73. ls -la ~/.ssh/  Check for interesting ssh files in the current users’ directory
  74. ls -la /usr/sbin/in.*   Check Configuration of inetd services
  75. grep -l -i pass /var/log/*.log 2>/dev/null  Check log files for keywords (‘pass’ in this example) and show positive matches
  76. find /var/log -type f -exec ls -la {} \; 2>/dev/null    List files in specified directory (/var/log)
  77. find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null    List .log files in specified directory (/var/log)
  78. find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null  List .conf files in /etc (recursive 1 level)
  79. ls -la /etc/*.conf  As above
  80. find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null   Find .conf files (recursive 4 levels) and output line number where the word password is located
  81. lsof -i -n  List open files (output will depend on account privileges)
  82.  
  83.  
  84.  
  85. Service Information:
  86. Command     Result
  87. ps aux | grep root  View services running as root
  88. cat /etc/inetd.conf     List services managed by inetd
  89. cat /etc/xinetd.conf    As above for xinetd
  90.  
  91.  
  92.  
  93. Jobs/Tasks:
  94. Command     Result
  95. crontab -l -u %username%    Display scheduled jobs for the specified user – Privileged command
  96. ls -la /etc/cron*   Scheduled jobs overview (hourly, daily, monthly etc)
  97. ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null   What can ‘others’ write in /etc/cron* directories
  98. top     List of current tasks
  99.  
  100.  
  101.  
  102. Networking, Routing & Communications:
  103. Command     Result
  104. /sbin/ifconfig -a   List all network interfaces
  105. cat /etc/network/interfaces     As above
  106. arp -a  Display ARP communications
  107. route   Display route information
  108. cat /etc/resolv.conf    Show configured DNS sever addresses
  109. netstat -antp   List all TCP sockets and related PIDs (-p Privileged command)
  110. netstat -anup   List all UDP sockets and related PIDs (-p Privileged command)
  111. iptables -L     List rules – Privileged command
  112. cat /etc/services   View port numbers/services mappings
  113.  
  114.  
  115.  
  116. Programs Installed:
  117. Command     Result
  118. dpkg -l     Installed packages (Debian)
  119. rpm -qa     Installed packages (Red Hat)
  120. sudo -V     Sudo version – does an exploit exist?
  121. httpd -v    Apache version
  122. apache2 -v  As above
  123. apache2ctl (or apachectl) -M    List loaded Apache modules
  124. mysql --version     Installed MYSQL version details
  125. perl -v     Installed Perl version details
  126. java -version   Installed Java version details
  127. python --version    Installed Python version details
  128. ruby -v     Installed Ruby version details
  129. find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)   Locate ‘useful’ programs (netcat, wget etc)
  130. which %program_name% (i.e. nc, netcat, wget, nmap etc)  As above
  131.  
  132.  
  133.  
  134. Common Shell Escape Sequences:
  135. Command     Program(s)
  136. :!bash  vi, vim
  137. :set shell=/bin/bash:shell  vi, vim
  138. !bash   man, more, less
  139. find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;  find
  140. awk 'BEGIN {system("/bin/bash")}'   awk
  141. --interactive   nmap
  142. perl -e 'exec "/bin/bash";'     Perl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement