/
Linux Post-Exploitation Enumeration
Enumeration is the first step after obtaining initial access. Before exploiting anything, you must understand the environment to identify privilege escalation vectors.
System information
bash
You type
# Operating system and version
$uname -a
$cat /etc/os-release
$cat /etc/issue
$lsb_release -a
# Architecture and kernel
uname -m # x86_64, aarch64...
uname -r # kernel version
# Uptime and load
$uptime
$w
User context
bash
You type
# Who am I?
$id
$whoami
# Group memberships (interesting: docker, lxd, disk, sudo, adm)
$groups
$id | grep -oP 'groups=\K.\*'
# System user accounts
$cat /etc/passwd
$cat /etc/passwd | grep -v nologin | grep -v false
# Command history
$cat ~/.bash_history
$cat ~/.zsh_history
$history
Permissions and sensitive files
bash
You type
# SUID files (Set User ID)
$find / -perm -4000 -type f 2>/dev/null
# SGID files (Set Group ID)
$find / -perm -2000 -type f 2>/dev/null
# World-writable files
$find / -writable -type f 2>/dev/null | grep -v proc
# Recently modified files
$find / -mmin -60 -type f 2>/dev/null
# Capabilities
$getcap -r / 2>/dev/null
Sudo and configurations
bash
You type
# List sudo privileges (without password)
$sudo -l
# Sudoers file
$cat /etc/sudoers 2>/dev/null
$ls -la /etc/sudoers.d/
Network and processes
bash
You type
# Network interfaces
$ip a
$ifconfig
# Locally open ports (internal services)
$ss -tlnp
$netstat -tlnp
ss -unlp # UDP
# Running processes (look for root-owned ones)
$ps aux
$ps aux | grep root
# Active network connections
$ss -tnp
Environment variables and PATH
bash
You type
# Environment variables
$env
$printenv
$cat /proc/self/environ | tr '\0' '\n'
# Current PATH
$echo $PATH
# Configuration files with credentials
$find / -name '_.conf' -o -name '_.config' -o -name '\*.cfg' 2>/dev/null | head -20
$grep -r 'password\|passwd\|secret\|key' /etc/ 2>/dev/null | grep -v Binary
Scheduled tasks
bash
You type
# Current user's cron
$crontab -l
# System cron
$cat /etc/crontab
$ls -la /etc/cron.d/
$ls -la /etc/cron.hourly/
$ls -la /etc/cron.daily/
# Monitor created processes (requires pspy)
./pspy64 # Detects processes launched by root
Automatic enumeration tools
| Tool | Description | Usage |
|---|---|---|
| LinPEAS | Comprehensive, color-coded, highly detailed enumeration | curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh |
| LinEnum | Lighter enumeration script | ./LinEnum.sh -t |
| linux-exploit-suggester | Suggests kernel exploits based on version | ./linux-exploit-suggester.sh |
| pspy | Monitors processes without being root | ./pspy64 |
Flashcards
Flashcards
Flashcard
Which Linux groups often allow privilege escalation?
Flashcard
Why use pspy instead of ps aux to detect cron jobs?
Exercises
Exercise 1 — Build a privilege escalation enumeration checklist
- On a Linux VM (TryHackMe "Linux PrivEsc" or HackTheBox), run
idandsudo -l - Find all SUID files:
find / -perm -4000 -type f 2>/dev/null - List all cron jobs:
cat /etc/crontab+crontab -l - Download and run LinPEAS — read the red (critical) sections
- Download pspy64 and observe root-launched processes for 5 minutes
Open Questions
Question 1 — Why is enumeration the most important step in Linux privilege escalation?
Next Lesson
With enumeration complete, the next lesson exploits the most common Linux privilege escalation vector: SUID and SGID binaries.
Next: SUID & SGID