Privilege Escalation Checklist

System Information

Kernal information

uname -a

Operating System Information

cat /etc/issue
cat /etc/*-release

view $PATH

echo $PATH | tr ":" "\n"

Network Information

View IP configuration information

ifconifg -a

Print current network routes

route -n

Check DNS resolver

cat /etc/resolv.conf

View ARP table

arp -en

List all active TCP and UDP connections

netstat -auntp

Dump clear text PSK keys from the Network manager.

cat /etc/NetworkManager/system-connections/* |grep -E "^id|^psk"

User Information

Current user

id

Last logged on

lastlog | grep -v '**Never logged in**' 

Currently logged on user

w

All users with UID and GUID Information

for user in $(cat /etc/passwd | cut -f1 -d ":"); do id $user; done

List all root accounts

cat /etc/passwd |cut -f1,3,4 -d":" | grep "0:0" |cut -f1 -d":" |awk '{print $1}'

Running Processes

List running processes

ps auxwww

Processes running as root

ps -u root

Processes running as current user

ps -u $USER

File and Folder permissions

Can we read Shadow?

cat /etc/shadow

Find Sticky bit

find / -perm -1000 -type d 2>/dev/null

Find SUID

find / -perm -u=s -type f 2>/dev/null 

Find SGID

find / -perm -g=s -type f 2>/dev/null

World Writeable files

find -perm -2 type -f 2>/dev/null   

List configuration files in /etc/

ls -al /etc/*.conf

Grep for interesting keywords in configuration files

grep 'pass*' /etc/*.conf 2> /dev/null
grep 'key' /etc/*.conf 2> /dev/null
grep 'secret' /etc/*.conf 2> /dev/null

Can we list the contents of root/?

ls -als root/

Can we read other users history files?

find /* -name *.*history* -print 2> /dev/null 

Cronjobs and scheduled tasks

cat /etc/crontab  
ls -als /etc/cron.*

Check for tasks that are run as root and are world writeable.

find /etc/cron* -type f -perm -o+w -exec ls -l {} \; 

Metasploit modules

Post exploit enumeration

post/linux/gather/enum_configs
post/linux/gather/enum_system
post/linux/gather/enum_network
post/linux/gather/enum_psk
post/linux/gather/hashdump
post/linux/gather/openvpn_credentials
post/linux/gather/phpmyadmin_credsteal 

Last updated