Enumeration

The first step toward escalating your privileges on Windows or Linux is again Enumeration.

Hostname

Returns the hostname of the machine, it can provide information about the target system's role within the network

hostname

uname -a

Provides details about the kernel, which is useful in searching for a kernel exploit

uname -a

/proc/version

Provides information on the kernel version and whether a compiler is installed or not GCC for instance

it helps you find a kernel exploit and also helps in narrowing down your exploit research by providing details about the existing complier

cat /proc/version

/etc/issue

Usually contains information about the operating system

cat /etc/issue

ps Command

Provides details on running processes, showing

PID - the process ID

TTY - the terminal type used by the user.

Time: Amount of CPU time used by the process. CMD: shows details of the associated command or the executable

//Shows all running process
$ps -A 
//show the process tree
$ps axjf
//a - shows process for all users
// u - user that launched the process
//x - shows process not attached to the terminal
$ps aux

env

Provides details on the environment variables available, the PATH variables might have associated compilers and scripting languages available on the machine which help you pick an appropriate exploit

$env

sudo -l

Shows the list of commands the user is allowed to run as a root user.

sudo -l

ls

helps you find the files with might have some important data like an htaccess or htpasswd file which is hidden

ls -la

id

provide the information on the user's privilege level and the groups that the user is in.

id

/etc/passwd

The easiest way to find other users on the machine, which might help in lateral movement.

cat /etc/passwd

history

Provides information on previous commands and rarely some credintials

history

ifconfig

When pivoting, the ifconfig command provides information on the available network interfaces of the system.

ifconfig

netstat

helps gather information on existing communications,

//shows all listening ports and established connections.
netstat -a

//can be used to list TCP or UDP protocols respectively.
netstat -at or netstat -au 

//list ports in “listening” mode. These ports are open and ready to accept incoming connections.
netstat -l 

//list network usage statistics by protocol (below) This can also be used with the -t or -u options to limit the output to a specific protocol.
netstat -s

netstat -tp: list connections with the service name and PID information.

//this can also be used with the -l option to list listening ports (below)

// Provides interface stats.
netstat -i


netstat -ano which could be broken down as follows;
-a: Display all sockets
-n: Do not resolve names
-o: Display timers

find

//find the file named “flag1.txt” in the current directory
find . -name flag1.txt

//find the file names “flag1.txt” in the /home directory
find /home -name flag1.txt

//find the directory named config under “/”
find / -type d -name config 

//find files with the 777 permissions (files readable, writable, and executable by all users)
find / -type f -perm 0777
 
//find executable files
find / -perm a=x 

//find all files for user “frank” under “/home”
find /home -user [username] 

//find files that were modified in the last 10 days
find / -mtime 10 
//find files that were accessed in the last 10 day
find / -atime 10 

//find files changed within the last hour (60 minutes)
find / -cmin -60 

//find files accesses within the last hour (60 minutes)
find / -amin -60 

//find files with a 50 MB size
find / -size 50M 


find / -writable -type d 2>/dev/null : Find world-writeable folders
find / -perm -222 -type d 2>/dev/null: Find world-writeable folders
find / -perm -o w -type d 2>/dev/null: Find world-writeable folders

find / -name perl*
find / -name python*
find / -name gcc*

find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.