The first step toward escalating your privileges on Windows or Linux is again Enumeration.
Hostname
Returns the hostname of the machine, it can provide information about the target system's role within the network
hostname
uname -a
Provides details about the kernel, which is useful in searching for a kernel exploit
uname -a
/proc/version
Provides information on the kernel version and whether a compiler is installed or not GCC for instance
it helps you find a kernel exploit and also helps in narrowing down your exploit research by providing details about the existing complier
cat /proc/version
/etc/issue
Usually contains information about the operating system
cat /etc/issue
ps Command
Provides details on running processes, showing
PID - the process ID
TTY - the terminal type used by the user.
Time: Amount of CPU time used by the process.
CMD: shows details of the associated command or the executable
//Shows all running process
$ps -A
//show the process tree
$ps axjf
//a - shows process for all users
// u - user that launched the process
//x - shows process not attached to the terminal
$ps aux
env
Provides details on the environment variables available, the PATH variables might have associated compilers and scripting languages available on the machine which help you pick an appropriate exploit
$env
sudo -l
Shows the list of commands the user is allowed to run as a root user.
sudo -l
ls
helps you find the files with might have some important data like an htaccess or htpasswd file which is hidden
ls -la
id
provide the information on the user's privilege level and the groups that the user is in.
id
/etc/passwd
The easiest way to find other users on the machine, which might help in lateral movement.
cat /etc/passwd
history
Provides information on previous commands and rarely some credintials
history
ifconfig
When pivoting, the ifconfig command provides information on the available network interfaces of the system.
ifconfig
netstat
helps gather information on existing communications,
//shows all listening ports and established connections.
netstat -a
//can be used to list TCP or UDP protocols respectively.
netstat -at or netstat -au
//list ports in “listening” mode. These ports are open and ready to accept incoming connections.
netstat -l
//list network usage statistics by protocol (below) This can also be used with the -t or -u options to limit the output to a specific protocol.
netstat -s
netstat -tp: list connections with the service name and PID information.
//this can also be used with the -l option to list listening ports (below)
// Provides interface stats.
netstat -i
netstat -ano which could be broken down as follows;
-a: Display all sockets
-n: Do not resolve names
-o: Display timers
find
//find the file named “flag1.txt” in the current directory
find . -name flag1.txt
//find the file names “flag1.txt” in the /home directory
find /home -name flag1.txt
//find the directory named config under “/”
find / -type d -name config
//find files with the 777 permissions (files readable, writable, and executable by all users)
find / -type f -perm 0777
//find executable files
find / -perm a=x
//find all files for user “frank” under “/home”
find /home -user [username]
//find files that were modified in the last 10 days
find / -mtime 10
//find files that were accessed in the last 10 day
find / -atime 10
//find files changed within the last hour (60 minutes)
find / -cmin -60
//find files accesses within the last hour (60 minutes)
find / -amin -60
//find files with a 50 MB size
find / -size 50M
find / -writable -type d 2>/dev/null : Find world-writeable folders
find / -perm -222 -type d 2>/dev/null: Find world-writeable folders
find / -perm -o w -type d 2>/dev/null: Find world-writeable folders
find / -name perl*
find / -name python*
find / -name gcc*
find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.