Enumeration for Linux Privilege Escalation

(gojirasan) #4

Gotcha, just realized that. Ill fix it

(gojirasan) #5

That one is pretty amazing too. I used it for the OSCP labs a couple times.

(John) #6

Hey guys,
I have created this tool: https://github.com/operatorequals/gatheros
just to cope with Info Gathering in team environments (CTFs, etc).
There is also a blog post that describes its usage.

(system) #7

This topic was automatically closed after 30 days. New replies are no longer allowed.

(Leader & Offsec Engineer) #8

Necrobumping this because it’s a really good article.

Anybody got any more thoughts on this? Do we have any new methods?

(Leader & Offsec Engineer) #9


This can be good if cronjobs are presents, checking for new processes


old=$(ps -eo command)

while true; do
        new=$(ps -eo command)
        diff <(echo "$old") <(echo "$new")
        sleep 1

(zief four) #11

PwnWiki have a goodcommand list too… i always refer to it…

pwnwiki.io Linux Privesc


Neat! I am new to the thinking methodology, and your article sounded like “Information Gathering” is a serious topic for concern. Gotta save this for now, thanks John!

(Matt) #13

A while back I stumbled across a great enumeration script that hits most of the points brought up here. Take a look at https://github.com/rebootuser/LinEnum. This is the first thing I try to run on a fresh low-priv shell.


Linuxprivchecker could also be a good alternative to traditionnal tools. I revamped the original one to make it works with all python versions.

Hope it helps,


That’s fucking awesome. Thanks man

(IDdbH) #16

Thanks, great info !

Jake William’s Wild West Hacking Fest 2018 talk “Privilege Escalation FTW” was relased a week ago, it has some good stuff too (Linux and Windows) :

(Leader & Offsec Engineer) #17

Just found this, too:

If you’re looking for WIndows privesc, this is nice.


Yes, this is also very detailed. Thank you

The Ultimate Privilege Escalation Reference - [Wiki]
(guly) #19

pspy does this in a more efficient way for not really-hardened boxes

for CTF/boot2root, i also check file time using “user.txt” as a reference

(Zain) #20

Yo! Nice tut (?), but just curious if there’s a possibility for another one except for windows? Just a thought.

Also, I might put some of these commands in a bash script for automation of prosperity. :stuck_out_tongue:

Again, awesome tut! This will be helpful for HTB. ~Cheers!

–Techno Forg–

(EternalEclipse) #21

Some more stuff to check for

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

Check for open tmux sessions (possibly logged into root shells)

tmux ls

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Check home directories of other users for readable files:

find /home | grep -Ev "^/home/user"

Find files that were modified in the last 10min (useful to spot funky stuff going on)

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
  • Check mounts
  • Grab banners for local ports (using nc or other methods)
  • Read crontab job files and look for crappy backup scripts
  • Read service configuration (Especially httpd)
  • Scroll over ps -ef output and check for passwords passed as command-line arguments


I don’t know why, but this blew my mind. Nice!

(Leader & Offsec Engineer) #23

This topic was automatically closed after 39 days. New replies are no longer allowed.