#Linux Privesc

#OS, Kernel & Hostname

cat /etc/os-release cat /etc/issue cat /proc/version hostname uname -a

#Users

cat /etc/passwd id sudo -l # See user special groups and list files groups find / -group management -ls 2>/dev/null

#Network

netstat -antup

#Try scanning other ports using netcat

dave@ubuntu:~/Desktop$ nc -nvz 192.168.122.4 1-10000 2>&1 | grep -v failed Connection to 192.168.122.4 80 port [tcp/*] succeeded!

#SSH tunnel

Example to create a SSH tunnel and access port 80 in 192.168.122.4

ssh -L 80:192.168.122.4:80 dave@10.10.10.109

Now we can access 127.0.0.1:80.

#Processes Running

ps aux ps aux | grep root

#Installed Packages

dpkg -l (Debian) rpm -qa (Fedora)

#Find SUID

find / -perm -u=s -type f 2>/dev/null find /* -user root -perm -4000 -print 2>/dev/null

#World writable scripts invoked as root

find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null

#World executable folder

find / -perm -o x -type d 2>/dev/null

#World writable and executable folders

find / \\( -perm -o w -perm -o x \\) -type d 2>/dev/null

#Find world-writable files in /etc

find /etc -perm -2 -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null

#World-writable directories

find / -writable -type d 2>/dev/null