Privilege Escalation Checklist
System Information
Kernal information
uname -aOperating System Information
cat /etc/issue
cat /etc/*-releaseview $PATH
echo $PATH | tr ":" "\n"Network Information
View IP configuration information
ifconifg -aPrint current network routes
route -nCheck DNS resolver
cat /etc/resolv.confView ARP table
arp -enList all active TCP and UDP connections
netstat -auntpDump clear text PSK keys from the Network manager.
cat /etc/NetworkManager/system-connections/* |grep -E "^id|^psk"User Information
Current user
idLast logged on
lastlog | grep -v '**Never logged in**' Currently logged on user
wAll users with UID and GUID Information
for user in $(cat /etc/passwd | cut -f1 -d ":"); do id $user; doneList all root accounts
cat /etc/passwd |cut -f1,3,4 -d":" | grep "0:0" |cut -f1 -d":" |awk '{print $1}'Running Processes
List running processes
ps auxwwwProcesses running as root
ps -u rootProcesses running as current user
ps -u $USERFile and Folder permissions
Can we read Shadow?
cat /etc/shadowFind Sticky bit
find / -perm -1000 -type d 2>/dev/nullFind SUID
find / -perm -u=s -type f 2>/dev/null Find SGID
find / -perm -g=s -type f 2>/dev/nullWorld Writeable files
find -perm -2 type -f 2>/dev/null List configuration files in /etc/
ls -al /etc/*.confGrep for interesting keywords in configuration files
grep 'pass*' /etc/*.conf 2> /dev/null
grep 'key' /etc/*.conf 2> /dev/null
grep 'secret' /etc/*.conf 2> /dev/nullCan we list the contents of root/?
ls -als root/Can we read other users history files?
find /* -name *.*history* -print 2> /dev/null Cronjobs and scheduled tasks
cat /etc/crontab
ls -als /etc/cron.*Check for tasks that are run as root and are world writeable.
find /etc/cron* -type f -perm -o+w -exec ls -l {} \; Metasploit modules
Post exploit enumeration
post/linux/gather/enum_configs
post/linux/gather/enum_system
post/linux/gather/enum_network
post/linux/gather/enum_psk
post/linux/gather/hashdump
post/linux/gather/openvpn_credentials
post/linux/gather/phpmyadmin_credsteal Last updated