LinEnum
Understanding LinEnum
LinEnum is a Privilege Escalation Checker. Here I will try to breakdown and understand the commands used specifically for information gathering. I am not trying to analyze the script but what it is getting, how it is getting it, and why it is getting it. This script is pretty well commented so much of the work is done for us.
Main Functions
header debug_info system_info user_info environmental_info job_info networking_info services_info software_configs interesting_files docker_checks lxc_container_checks footer
Information Gathering Commands
List of binaries from GTFO Bins
binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'
System Info
Get kernel info
uname -a 2>/dev/null
Get kernel info
cat /proc/version 2>/dev/null
Get OS info ```cat /etc/*-release 2>/dev/null
Get hostname
```bash
hostname 2>/dev/null
User Info
User ID and groups
id 2>/dev/null
Get the last time users logged in
lastlog 2>/dev/null |grep -v "Never" 2>/dev/null
Get users currently logged in
w 2>/dev/null
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null
Get all IDs and groups Get adm users (Admin Users)
grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
adm_users=$(echo -e "$grpinfo" | grep "(adm)")
echo $adm_users
Check for hashes in passwd
grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null
/etc/passwd contents
cat /etc/passwd 2>/dev/null
Attempt to read master.passwd
cat /etc/master.passwd 2>/dev/null
Attempt to read /etc/shadow
cat /etc/shadow 2>/dev/null
Get all accounts with UID 0
grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null
Get sudoers
grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null
Get sudo permissions without password
echo '' | sudo -S -l -k 2>/dev/null
Get sudo permissions with password
echo $userpassword | sudo -S -l -k 2>/dev/null
Checks if any of the binaries in GTFO Bins can be ran as sudo
echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null
Get users who have successfully used sudo
find /home -name .sudo_as_admin_successful 2>/dev/null
Check if root directory is readable
ls -ahl /root/ 2>/dev/null
Get home directory permissions
ls -ahl /home/ 2>/dev/null
Get a list of files writeable but not owned by the current user
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
Get a list of files owned by the current user
`find / -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
List hidden files
find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
Find world writable files within /home directories
find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null
List contents of the current user's home directory
ls -ahl ~ 2>/dev/null
Finds various important ssh files
find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;
Check if root can log in via ssh
grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'
Environmental
Get Environment Variables
env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null
Check if SELinux is enabled
sestatus 2>/dev/null
Get $PATH
echo $PATH 2>/dev/null
Get a list of shells that are available
cat /etc/shells 2>/dev/null
Get the UMASK value
umask -S 2>/dev/null & umask 2>/dev/null
Get the UMASK from /etc/login.defs
grep -i "^UMASK" /etc/login.defs 2>/dev/null
Get Password Policy info
grep "^PASS\_MAX\_DAYS\\|^PASS\_MIN\_DAYS\\|^PASS\_WARN\_AGE\\|^ENCRYPT\_METHOD" /etc/login.defs 2>/dev/null
Jobs
Get cron jobs
ls -la /etc/cron* 2>/dev/null
Check permissions on cron jobs
find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \
Get system-wide cron jobs
cat /etc/crontab 2>/dev/null
Get user cron jobs
ls -la /var/spool/cron/crontabs 2>/dev/nul
Get anacron jobs
ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null
Get user anacron jobs
ls -la /var/spool/anacron 2>/dev/nul
Check if any user in /etc/passwd has cronjobs
cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null
List systemtimers (These are like cronjobs where they perform a task at a given interval.)
systemctl list-timers --all 2>/dev/null
Networking
Get network interface information
/sbin/ifconfig -a 2>/dev/null
Get network interface information
/sbin/ip a 2>/dev/null
Print the ARP table
arp -a 2>/dev/null
Print the ARP table
ip n 2>/dev/null
Get nameservers
grep "nameserver" /etc/resolv.conf 2>/dev/null
Get nameservers
systemd-resolve --status 2>/dev/null
Get default route
route 2>/dev/null | grep default
Get default route
ip r 2>/dev/null | grep default
Get listening TCP ports
netstat -ntpl 2>/dev/null
Get listening TCP Ports
ss -t -l -n 2>/dev/null
Get Listening UDP Ports
netstat -nupl 2>/dev/null
Get listening UDP Ports
ss -u -l -n 2>/dev/null
Services
Get all running processes (List list will be limited to what the current user can view)
ps aux 2>/dev/null
Get the process binary path as well as the permissions The awk '!x\[$0\]++'
Is a bit confusing but what this is doing is creating a hash table where the current line is the key and the value is incremented by one each time it is referenced. If it is the first time the line is referenced, it gets printed and the count gets incremented by 1; otherwise the line gets ignored.
ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null
Prints inetd.conf for a manual check for useful information
cat /etc/inetd.conf 2>/dev/null
Get binaries and their permissions from inetd
awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null
Print xinetd.conf for manual inspection
cat /etc/xinetd.conf
Check if /etc/xinetd.d is in xinetd.conf
grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null
Get binaries and their permissions from xinetd
awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null
Get init.d files' permissions
ls -la /etc/init.d 2>/dev/null
Check if there are any init.d files not owned by root
find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null
Get file permissions for rc.d/init.d
ls -la /etc/rc.d/init.d 2>/dev/null
Check if there are any init.d files not owned by root
find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null
Get file permissions for /usr/rc.d files
ls -la /usr/local/etc/rc.d 2>/dev/null
Check for rc.d files not owned by root
find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null
Check /etc/init permissions
ls -la /etc/init/ 2>/dev/null
Check for startup scripts not owned by root
find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null
Get systemd config file permissions
ls -lthR /lib/systemd/ 2>/dev/null
Check for systemd files not owned by root
find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null
Software
Get Sudo Version
sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null
Get MySQL version
mysql --version 2>/dev/null
Check root:root password for mysql
mysqladmin -uroot -proot version 2>/dev/null
Get Postgres version
psql -V 2>/dev/null
Checks connection with several users to different databases
psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version
Get apache and httpd versions
apache2 -v 2>/dev/null; httpd -v 2>/dev/null
Get the user running apache
grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null
Check to see what apace and httpd modules are installed
apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null
Find .htpasswd files and print them out
find / -name .htpasswd -print -exec cat {} \; 2>/dev/null
Check the contents of default http directories
ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null
Interesting Files
Check to see if various useful tools are installed
which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
Check to see if compilers are installed
dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc\*' 2>/dev/null| grep gcc 2>/dev/null
Lists permissions of some sensitive files that need to be manually checked
ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
Find SUID files
find / -perm -4000 -type f 2>/dev/null
Find SUID files that are part of GTFO Bins (assumes the previous command is stored in a variable $allsuid)
find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null
Check for SUID files that are world writeable
find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;
Check for world writeable SUID files owned by root
find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;
Find SGID files
find / -perm -2000 -type f 2>/dev/null
Check for SGID files that are part of GTFO Bins (assumes that the previous commad is store in a variable $allsgid)
find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null
Check for world writeable SGID files
find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;
Check for world writeable SGID files owned by root
find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;
List all files with POSIX capabilities
getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null
Search for capability of users
grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/null
User Capabilities
if [ "$userswithcaps" ] ; then
#matches the capabilities found associated with users with the current user
matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
if [ "$matchedcaps" ]; then
echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
echo -e "\n"
#matches the files with capapbilities with capabilities associated with the current user
matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
if [ "$matchedfiles" ]; then
echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
echo -e "\n"
#lists the permissions of the files having the same capabilies associated with the current user
matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
echo -e "\n"
if [ "$matchedfilesperms" ]; then
#checks if any of the files with same capabilities associated with the current user is writable
writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
if [ "$writablematchedfiles" ]; then
echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
echo -e "\n"
fi
fi
fi
fi
fi
Search for readable private keys
grep -rl "PRIVATE KEY-----" /home 2>/dev/null
Search for AWS keys
grep -rli "aws_secret_access_key" /home 2>/dev/null
Search for git creds
find / -name ".git-credentials" 2>/dev/null
List all world writeable files excluding those in /proc and /sys
find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;
List any .plan files
find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;
List any .plan files (BSD)
find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;
Find and print any .rhost files
find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;
Find and print any .rhost files (BSD)
find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;
TODO
find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;
Print /etc/exports
ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Print /etc/fstab
cat /etc/fstab 2>/dev/null
Look for creds in /etc/fstab
grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null
Looking for creds in /etc/fstab round 2
grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null
Search conf files for a given keyword stored in $keyword
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null
Search php files for a given keyword stored in $keyword
find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null
Search log files for a given keyword stored in $keyword
find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null
Search ini files for a given keyword stored in $keyword
find / -maxdepth 4 -name \*.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/null
Get all conf files from /etc/
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null
Get all current user history files
ls -la ~/.*_history 2>/dev/null
Attempt to get root's history
ls -la /root/.*_history 2>/dev/null
Find and print all .bash_history files that are readable
find /home -name .bash_history -print -exec cat {} 2>/dev/null \;
Find any .bak files
find / -name *.bak -type f 2</dev/null
Check if there is any readable mail
ls -la /var/mail 2>/dev/null
Check if root has mail that can be read by the current user
head /var/mail/root 2>/dev/null
Docker
Check if current environment is a docker instance
grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null
Check if docker is installed and if there are any instances
docker --version 2>/dev/null; docker ps -a 2>/dev/null
Check if the current user is in the docker group
id | grep -i docker 2>/dev/null
Find Dockerfile files
find / -name Dockerfile -exec ls -l {} 2>/dev/null \;
Find docker-compose.yml files
find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;
LXC Container
Check if current environment is a LXC container
grep -qa container=lxc /proc/1/environ 2>/dev/null
Check if current user is in the lxd group
id | grep -i lxd 2>/dev/null
TODO
Go through and explain why these each check can be helpful. (Some are obvious.)
Last updated
Was this helpful?