System Information[1]
* Get OS information
* Check the PATH for any writable folders
* Check the env variables for any sensitive details
* Search for Kernel Exploits (i.e. PwnKit, DirtyCow etc)
* Check the sudo version to see if it's vulnerable
* Dmesg signature verification failed
* System enumeration
Drives
* List mounted drives
* Any unmounted drives
* Any credentials in fstab
Installed Software
* Check for useful software installed
* Check for vulnerable software installed
Processes
* Is any unknown software running
* Is any software running with more privileges than it should have
* Can you modify the binary of any running process
* Monitor processes and check if any interesting process is running frequently
* Can you read some interesting process memory
# Commands
ps aux #Lists all the process currently running on the machine
pspy can also be uploaded and ran to see if there are any repeating processes
Scheduled Task/Cron Jobs
* Is the PATH being modified by some cron job and you can write to it
* Any wildcard in a cron job
* Some modifiable script is being executed or is inside a modifiable folder
* A script that is being executed very frequently
Services
* Any writeable .service file
* Any writeable binary executed by a service
* Any writeable folder in systemd PATH
Timers
* Any writeable timers
Sockets
* Any writeable .socket file
* Can you communicate with any socket
* HTTP sockets with interesting info
D-BUS
* Can you communicate with any D-Bus
Network
* Enumerate the network to know where you are
* Open ports you couldn't access before getting a shell inside the machine
* Can you sniff traffic using tcpdump
Users
* Generic users/groups enumeration
* Do you have a very big UID? Is the machine vulnerable?
* Can you escalate privileges thanks to a group you belong to?
* Clipboard data?
* Password Policy?
* Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.
Writeable Path
* If you have write privileges over some folder in PATH you may be able to escalate privileges
Sudo and SUID Commands
* Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
* Is any exploitable SUID binary? (GTFOBins)
* Are sudo commands limited by path? can you bypass the restrictions?
* Sudo/SUID binary without path indicated?
* SUID binary specifying path? Bypass
* LD_PRELOAD vuln
* Lack of .so library in SUID binary from a writable folder?
* SUDO tokens available? Can you create a SUDO token?
* Can you read or modify sudoers files?
* Can you modify /etc/ld.so.conf.d/?
* OpenBSD DOAS command
Capabilities
* Has any binary unexpected capability
ACL's
* Does any file have unexpected ACL
Open Shell Sessions
* Screen
* Tmux
SSH
* Debian OpenSSL Predictable PRNG - CVE-2008-0166
* SSH Interesting configuration values
Interesting Files
* Profile files - Read sensitive data? Write to privesc?
* passwd/shadow files - Read sensitive data? Write to privesc?
* Check commonly interesting folders for sensitive data
* Weird Location/Owned files, you may have access to or alter executable files
* Modified in last mins
* Sqlite DB files
* Hidden files
* Script/Binaries in PATH
* Web files (passwords?)
* Backups?
* Known files that contains passwords: Use Linpeas and LaZagne
* Generic search
Writeable Files
* Modify python library to execute arbitrary commands?
* Can you modify log files? Logtotten exploit
* Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
* Can you write in ini, int.d, systemd or rc.d files?
Other Tricks
* Can you abuse NFS to escalate privileges?
* Do you need to escape from a restrictive shell?