# Privilege Escalation Checklist ## System Information Kernal information ``` uname -a ``` Operating System Information ``` cat /etc/issue cat /etc/*-release ``` view $PATH ``` echo $PATH | tr ":" "\n" ``` ## Network Information View IP configuration information ``` ifconifg -a ``` Print current network routes ``` route -n ``` Check DNS resolver ``` cat /etc/resolv.conf ``` View ARP table ``` arp -en ``` List all active TCP and UDP connections {% tabs %} {% tab title="netstat" %} ``` netstat -auntp ``` {% endtab %} {% tab title="ss" %} ``` ss -twurp ``` {% endtab %} {% endtabs %} Dump clear text PSK keys from the Network manager. ``` cat /etc/NetworkManager/system-connections/* |grep -E "^id|^psk" ``` ## User Information Current user {% tabs %} {% tab title="id" %} ``` id ``` {% endtab %} {% tab title="From /etc/passwd" %} ``` grep $USER /etc/passwd ``` {% endtab %} {% endtabs %} Last logged on ``` lastlog | grep -v '**Never logged in**' ``` Currently logged on user ``` w ``` All users with UID and GUID Information ``` for user in $(cat /etc/passwd | cut -f1 -d ":"); do id $user; done ``` List all root accounts ``` cat /etc/passwd |cut -f1,3,4 -d":" | grep "0:0" |cut -f1 -d":" |awk '{print $1}' ``` ## Running Processes List running processes ``` ps auxwww ``` Processes running as root ``` ps -u root ``` Processes running as current user ``` ps -u $USER ``` ## File and Folder permissions Can we read Shadow? ``` cat /etc/shadow ``` Find Sticky bit ``` find / -perm -1000 -type d 2>/dev/null ``` Find SUID ``` find / -perm -u=s -type f 2>/dev/null ``` Find SGID ``` find / -perm -g=s -type f 2>/dev/null ``` World Writeable files ``` find -perm -2 type -f 2>/dev/null ``` List configuration files in /etc/ ``` ls -al /etc/*.conf ``` Grep for interesting keywords in configuration files ``` grep 'pass*' /etc/*.conf 2> /dev/null grep 'key' /etc/*.conf 2> /dev/null grep 'secret' /etc/*.conf 2> /dev/null ``` Can we list the contents of root/? ``` ls -als root/ ``` Can we read other users history files? ``` find /* -name *.*history* -print 2> /dev/null ``` ## Cronjobs and scheduled tasks ``` cat /etc/crontab ls -als /etc/cron.* ``` Check for tasks that are run as root and are world writeable. ``` find /etc/cron* -type f -perm -o+w -exec ls -l {} \; ``` ## Metasploit modules Post exploit enumeration ``` post/linux/gather/enum_configs post/linux/gather/enum_system post/linux/gather/enum_network post/linux/gather/enum_psk post/linux/gather/hashdump post/linux/gather/openvpn_credentials post/linux/gather/phpmyadmin_credsteal ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-linux/privilege-escalation-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.