Information Gathering
+ Get OS information
Check for misconfigurations - i.e Is shadow readable? Is passwd writeable?
Search for misconfigured PATH variables. Do they prioritize searching for executable files from a non-secure (i.e. world-writeable) path?
You mightiness detect plaintext passwords inwards in that place
Search for jobs using programs that run alongside rootage privileges as well as are potentially write-accessible past times low-privileged users
cat /etc/issue cat /etc/*-release cat /proc/version uname -a rpm -q inwardness dmesg | grep Linux ls /boot | grep vmlinuz- lsb_release -a+ Check sudoers
sudo -l cat /etc/sudoers+ Check password files
Check for misconfigurations - i.e Is shadow readable? Is passwd writeable?
cat /etc/passwd cat /etc/shadow ls -l /etc/passwd ls -l /etc/shadow+ Learn your environment
Search for misconfigured PATH variables. Do they prioritize searching for executable files from a non-secure (i.e. world-writeable) path?
cat /etc/profile cat /etc/bashrc cat /.bash_profile cat /.bashrc cat /.bash_logout cat /.bash_history env set+ Check history files
You mightiness detect plaintext passwords inwards in that place
cat /.*_history+ Check cronjobs
Search for jobs using programs that run alongside rootage privileges as well as are potentially write-accessible past times low-privileged users
crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root+ Check processes running every bit rootage for vulnerabilities
ps aux | grep rootage ps -ef | grep root+ Search files for plaintext credentials
grep -ir user * grep -ir transcend *+ Find writable configuration files
find /etc/ -writable -type f 2>/dev/null+ Run privesc scripts
LinEnum - https://www.rebootuser.com/?p=1758 linuxprivchecker.py - http://www.securitysift.com/download/linuxprivchecker.py unix-privesc-check - https://github.com/pentestmonkey/unix-privesc-check
Escaping jail shells
python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i