The text from this page can be cleanly downloaded to your terminal directly using the following command: curl -s https://harfordcda.neocities.org/privesc.html | sed 's/<[^>]*>//g ; /^$/d'| tr -s '\n' '\n' | sed -r /^r?$/d Web Enumeration SMB and RPC Enumeration #################################### Linux Privesc #################################### #################################### Good Automated scripts for detecting PrivEsc issues: LinEum LinuxPrivChecker LSE #################################### Kernel Version? #################################### uname -addrpm -q kernel dmesg | grep Linux #################################### #Find SUID and SGID files under root #################################### find / -perm -u=s -type f 2>/dev/null find / -perm +4000 #prints the executables which have SUID bit set"-rwsr-" The "s" character instead of an "x" indicates that the SUID bit is set find / -perm -u=s -type f 2>/dev/null#SUID (chmod 4000) - will run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null#SGID or SUID for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done #Looks in 'common' places, all /bins* for SGID or SUID find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null #find starting at root (/), SGID or SUID, not Symbolic links, 3 folders deeps #################################### #Find GUID #################################### find / -perm -g=s -type f 2>/dev/null #################################### #Sticky bit: #################################### find / -perm -1000 -type d 2>/dev/null #################################### #Abusable binaries #################################### GTFO Bins #################################### Locating world writable files/dirs/scripts that run as root #################################### #World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null find / -perm -o x -type d 2>/dev/null find / \( -perm -o w -perm -o x \) -type d 2>/dev/null #################################### Look for any process that is owned by privileged users but writable to you: #################################### crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root #################################### #Common locations for user installed software #################################### /usr/local/ /usr/local/src /usr/local/bin /opt/ /home /var/ /usr/src/ #################################### Which development tools/languages are installed? #################################### find / -name perl* find / -name python* find / -name gcc* find / -name cc #################################### Which services are running and with which user priv? ps aux ps -ef top cat /etc/services #################################### Check running as root: ps aux | grep root ps -ef | grep root #################################### User and Root home directories: #################################### ls -ahlR /root/ ls -ahlR /home/ #################################### Which services are running and with which user privilege? #################################### ps aux ps -ef top cat /etc/services #################################### Which jobs are scheduled? #################################### crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root #################################### What is the configuration of the available services? #################################### cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ #################################### Network Settings #################################### /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network ip addr #################################### What are the network configuration settings? #################################### cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L -v hostname dnsdomainname #################################### Which users and hosts are communicating with the system? #################################### lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w #################################### Can user information can be found? #################################### cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root #################################### Finding juciy files #################################### What sensitive files can be found? cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/ #################################### Any accidental pasword entries? What else? #################################### cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history #################################### Can private key information be found? #################################### cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key #################################### Which IPs and/or MAC addresses are cached? #################################### arp -e route /sbin/route -nee #################################### How can files be uploaded? #################################### find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp find / -name ncat* #################################### Other references: gotm1lk mubix Swisskyrepo