Checklist
1️⃣ System Information
- Kernel Version:
uname -r - OS Release:
cat /etc/os-release - Host & User Info:
id; whoami; hostname - System Architecture:
uname -m - Active Users:
who - Current User Privileges:
id - Check Environment Variables:
env - Check CPU Info:
lscpu - Check Memory Usage:
free -h - Find executables:
find / -type f -perm /a=x 2>/dev/null - Mounted File Systems:
df -h - Find World-Writable Files:
find / -perm -222 -type f 2>/dev/null - Find Writable Configuration Files:
find /etc -type f -perm -222 2>/dev/null - Find Writable Scripts:
find / -type f -name "*.sh" -perm -222 2>/dev/null - Find Files Owned by Root with SUID/SGID:
find / -uid 0 -perm -4000 -o -perm -2000 2>/dev/null - Find Recent Files Modified by Root:
find / -user root -mtime -1 2>/dev/null - Find Large Files (>100MB):
find / -type f -size +100M 2>/dev/null - Find Hidden Files:
find / -type f -name ".*" 2>/dev/null - Find Files with Specific Extensions:
find / -type f \( -name "*.conf" -o -name "*.log" \) 2>/dev/null - Find Files with Specific Content:
find / -type f -exec grep -l "password" {} \; 2>/dev/null - Find Directories with Sticky Bit:
find / -type d -perm -1000 2>/dev/null
2️⃣ User & Permission Enumeration
- Who is logged in?
w; who; last - Who has sudo access?
sudo -l - Check user groups:
groups - Finding files that allow us to run as if we have higher Privileges than the current user:
find / -perm -u=s -type f 2>/dev/null - Find executable files:
find / -perm a=x - GID Binaries:
find / -perm -2000 -type f 2>/dev/null - Find world-writeable folders:
find / -perm -222 -type d 2>/dev/null - Find files with the 777 permissions:
find / -type f -perm 0777 - List All Users:
cat /etc/passwd - List All Groups:
cat /etc/group - Check Password Policies:
cat /etc/login.defs - Find Users with No Password:
awk -F: '($2 == "") {print $1}' /etc/shadow - List Last Password Change:
chage -l $(whoami) - Check if Root SSH Access is Allowed:
cat /etc/ssh/sshd_config | grep PermitRootLogin - Check for SSH Authorized Keys:
ls -la ~/.ssh - SUID Binaries:
find / -perm -4000 -type f 2>/dev/null - GID Binaries:
find / -perm -2000 -type f 2>/dev/null - Writable Scripts:
find / -type f -name "*.sh" -perm -o+w 2>/dev/null - Find TXT:
find / "proof.txt" 2>/dev/null | grep "proof.txt" - Find TXT:
find / "local.txt" 2>/dev/null | grep "local.txt" - Services Running as Root:
ps aux | grep root - Misconfigured Cron Jobs:
ls -la /etc/cron* - Check for Writable System Binaries:
find /usr/bin -writable 2>/dev/null - Check for Debugging Tools Installed:
which gdb ltrace strace - Check for Capabilities Assigned to Binaries:
getcap -r / 2>/dev/null - Check for Writable Configuration Files:
find /etc -type f -writable 2>/dev/null - Check for Hidden Files:
find / -type f -name ".*" 2>/dev/null
4️⃣ Escape & Shell Spawn
- Upgrade Shell:
python3 -c "import pty; pty.spawn("/bin/bash")" - Vim Escape:
:set shell=/bin/bashthen:shell - Less Escape: Inside `less`, type
!sh - Find Processes Running as Root:
ps -u root - Find Open File Descriptors:
lsof -p $$ - Check for LD_PRELOAD Exploits:
echo $LD_PRELOAD