# LinEnum ## Understanding LinEnum LinEnum is a Privilege Escalation Checker. Here I will try to breakdown and understand the commands used specifically for information gathering. I am not trying to analyze the script but what it is getting, how it is getting it, and why it is getting it. This script is pretty well commented so much of the work is done for us. ### Main Functions header debug\_info system\_info user\_info environmental\_info job\_info networking\_info services\_info software\_configs interesting\_files docker\_checks lxc\_container\_checks footer ### Information Gathering Commands List of binaries from GTFO Bins ```bash binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' ``` #### System Info Get kernel info ```bash uname -a 2>/dev/null ``` Get kernel info ```bash cat /proc/version 2>/dev/null ``` Get OS info \`\`\`cat /etc/\*-release 2>/dev/null ```` Get hostname ```bash hostname 2>/dev/null ```` #### User Info User ID and groups ```bash id 2>/dev/null ``` Get the last time users logged in ```bash lastlog 2>/dev/null |grep -v "Never" 2>/dev/null ``` Get users currently logged in ```bash w 2>/dev/null ``` `for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` Get all IDs and groups Get adm users (Admin Users) ```bash grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` adm_users=$(echo -e "$grpinfo" | grep "(adm)") echo $adm_users ``` Check for hashes in passwd ```bash grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null ``` /etc/passwd contents ```bash cat /etc/passwd 2>/dev/null ``` Attempt to read master.passwd ```bash cat /etc/master.passwd 2>/dev/null ``` Attempt to read /etc/shadow ```bash cat /etc/shadow 2>/dev/null ``` Get all accounts with UID 0 ```bash grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null ``` Get sudoers ```bash grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null ``` Get sudo permissions without password ```bash echo '' | sudo -S -l -k 2>/dev/null ``` Get sudo permissions with password ```bash echo $userpassword | sudo -S -l -k 2>/dev/null ``` Checks if any of the binaries in GTFO Bins can be ran as sudo ```bash echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null ``` Get users who have successfully used sudo ```bash find /home -name .sudo_as_admin_successful 2>/dev/null ``` Check if root directory is readable ```bash ls -ahl /root/ 2>/dev/null ``` Get home directory permissions ```bash ls -ahl /home/ 2>/dev/null ``` Get a list of files writeable but not owned by the current user ```bash find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` ``` Get a list of files owned by the current user ```bash `find / -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` ``` List hidden files ```bash find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null ``` Find world writable files within /home directories ```bash find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null ``` List contents of the current user's home directory ```bash ls -ahl ~ 2>/dev/null ``` Finds various important ssh files ```bash find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \; ``` Check if root can log in via ssh ```bash grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}' ``` #### Environmental Get Environment Variables ```bash env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null ``` Check if SELinux is enabled ```bash sestatus 2>/dev/null ``` Get $PATH ```bash echo $PATH 2>/dev/null ``` Get a list of shells that are available ```bash cat /etc/shells 2>/dev/null ``` Get the UMASK value ```bash umask -S 2>/dev/null & umask 2>/dev/null ``` Get the UMASK from /etc/login.defs ```bash grep -i "^UMASK" /etc/login.defs 2>/dev/null ``` Get Password Policy info ```bash grep "^PASS\_MAX\_DAYS\\|^PASS\_MIN\_DAYS\\|^PASS\_WARN\_AGE\\|^ENCRYPT\_METHOD" /etc/login.defs 2>/dev/null ``` #### Jobs Get cron jobs ```bash ls -la /etc/cron* 2>/dev/null ``` Check permissions on cron jobs ```bash find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \ ``` Get system-wide cron jobs ```bash cat /etc/crontab 2>/dev/null ``` Get user cron jobs ```bash ls -la /var/spool/cron/crontabs 2>/dev/nul ``` Get anacron jobs ```bash ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null ``` Get user anacron jobs ```bash ls -la /var/spool/anacron 2>/dev/nul ``` Check if any user in /etc/passwd has cronjobs ```bash cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null ``` List systemtimers (These are like cronjobs where they perform a task at a given interval.) ```bash systemctl list-timers --all 2>/dev/null ``` #### Networking Get network interface information ```bash /sbin/ifconfig -a 2>/dev/null ``` Get network interface information ```bash /sbin/ip a 2>/dev/null ``` Print the ARP table ```bash arp -a 2>/dev/null ``` Print the ARP table ```bash ip n 2>/dev/null ``` Get nameservers ```bash grep "nameserver" /etc/resolv.conf 2>/dev/null ``` Get nameservers ```bash systemd-resolve --status 2>/dev/null ``` Get default route ```bash route 2>/dev/null | grep default ``` Get default route ```bash ip r 2>/dev/null | grep default ``` Get listening TCP ports ```bash netstat -ntpl 2>/dev/null ``` Get listening TCP Ports ```bash ss -t -l -n 2>/dev/null ``` Get Listening UDP Ports ```bash netstat -nupl 2>/dev/null ``` Get listening UDP Ports ```bash ss -u -l -n 2>/dev/null ``` #### Services Get all running processes (List list will be limited to what the current user can view) ```bash ps aux 2>/dev/null ``` Get the process binary path as well as the permissions The `awk '!x\[$0\]++'` Is a bit confusing but what this is doing is creating a hash table where the current line is the key and the value is incremented by one each time it is referenced. If it is the first time the line is referenced, it gets printed and the count gets incremented by 1; otherwise the line gets ignored. ```bash ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null ``` Prints inetd.conf for a manual check for useful information ```bash cat /etc/inetd.conf 2>/dev/null ``` Get binaries and their permissions from inetd ```bash awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Print xinetd.conf for manual inspection ```bash cat /etc/xinetd.conf ``` Check if /etc/xinetd.d is in xinetd.conf ```bash grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null ``` Get binaries and their permissions from xinetd ```bash awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Get init.d files' permissions ```bash ls -la /etc/init.d 2>/dev/null ``` Check if there are any init.d files not owned by root ```bash find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Get file permissions for rc.d/init.d ```bash ls -la /etc/rc.d/init.d 2>/dev/null ``` Check if there are any init.d files not owned by root ```bash find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Get file permissions for /usr/rc.d files ```bash ls -la /usr/local/etc/rc.d 2>/dev/null ``` Check for rc.d files not owned by root ```bash find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Check /etc/init permissions ```bash ls -la /etc/init/ 2>/dev/null ``` Check for startup scripts not owned by root ```bash find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null ``` Get systemd config file permissions ```bash ls -lthR /lib/systemd/ 2>/dev/null ``` Check for systemd files not owned by root ```bash find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null ``` #### Software Get Sudo Version ```bash sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null ``` Get MySQL version ```bash mysql --version 2>/dev/null ``` Check root:root password for mysql ```bash mysqladmin -uroot -proot version 2>/dev/null ``` Get Postgres version ```bash psql -V 2>/dev/null ``` Checks connection with several users to different databases ```bash psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version ``` Get apache and httpd versions ```bash apache2 -v 2>/dev/null; httpd -v 2>/dev/null ``` Get the user running apache ```bash grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null ``` Check to see what apace and httpd modules are installed ```bash apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null ``` Find .htpasswd files and print them out ```bash find / -name .htpasswd -print -exec cat {} \; 2>/dev/null ``` Check the contents of default http directories ```bash ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null ``` #### Interesting Files Check to see if various useful tools are installed ```bash which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null ``` Check to see if compilers are installed ```bash dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc\*' 2>/dev/null| grep gcc 2>/dev/null ``` Lists permissions of some sensitive files that need to be manually checked ```bash ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null ``` Find SUID files ```bash find / -perm -4000 -type f 2>/dev/null ``` Find SUID files that are part of GTFO Bins (assumes the previous command is stored in a variable $allsuid) ```bash find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null ``` Check for SUID files that are world writeable ```bash find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \; ``` Check for world writeable SUID files owned by root ```bash find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \; ``` Find SGID files ```bash find / -perm -2000 -type f 2>/dev/null ``` Check for SGID files that are part of GTFO Bins (assumes that the previous commad is store in a variable $allsgid) ```bash find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null ``` Check for world writeable SGID files ```bash find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \; ``` Check for world writeable SGID files owned by root ```bash find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \; ``` List all files with POSIX capabilities ```bash getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null ``` Search for capability of users ```bash grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/null ``` User Capabilities ```bash if [ "$userswithcaps" ] ; then #matches the capabilities found associated with users with the current user matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` if [ "$matchedcaps" ]; then echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" echo -e "\n" #matches the files with capapbilities with capabilities associated with the current user matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` if [ "$matchedfiles" ]; then echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" echo -e "\n" #lists the permissions of the files having the same capabilies associated with the current user matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" echo -e "\n" if [ "$matchedfilesperms" ]; then #checks if any of the files with same capabilities associated with the current user is writable writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` if [ "$writablematchedfiles" ]; then echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" echo -e "\n" fi fi fi fi fi ``` Search for readable private keys ```bash grep -rl "PRIVATE KEY-----" /home 2>/dev/null ``` Search for AWS keys ```bash grep -rli "aws_secret_access_key" /home 2>/dev/null ``` Search for git creds ```bash find / -name ".git-credentials" 2>/dev/null ``` List all world writeable files excluding those in /proc and /sys ```bash find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \; ``` List any .plan files ```bash find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \; ``` List any .plan files (BSD) ```bash find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \; ``` Find and print any .rhost files ```bash find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \; ``` Find and print any .rhost files (BSD) ```bash find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \; ``` *TODO* ```bash find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \; ``` Print /etc/exports ```bash ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null ``` Print /etc/fstab ```bash cat /etc/fstab 2>/dev/null ``` Look for creds in /etc/fstab ```bash grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null ``` Looking for creds in /etc/fstab round 2 ```bash grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null ``` Search conf files for a given keyword stored in $keyword ```bash find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null ``` Search php files for a given keyword stored in $keyword ```bash find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null ``` Search log files for a given keyword stored in $keyword ```bash find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null ``` Search ini files for a given keyword stored in $keyword ```bash find / -maxdepth 4 -name \*.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/null ``` Get all conf files from /etc/ ```bash find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null ``` Get all current user history files ```bash ls -la ~/.*_history 2>/dev/null ``` Attempt to get root's history ```bash ls -la /root/.*_history 2>/dev/null ``` Find and print all .bash\_history files that are readable ```bash find /home -name .bash_history -print -exec cat {} 2>/dev/null \; ``` Find any .bak files ```bash find / -name *.bak -type f 2/dev/null ``` Check if root has mail that can be read by the current user ```bash head /var/mail/root 2>/dev/null ``` ## Docker Check if current environment is a docker instance ```bash grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null ``` Check if docker is installed and if there are any instances ```bash docker --version 2>/dev/null; docker ps -a 2>/dev/null ``` Check if the current user is in the docker group ```bash id | grep -i docker 2>/dev/null ``` Find Dockerfile files ```bash find / -name Dockerfile -exec ls -l {} 2>/dev/null \; ``` Find docker-compose.yml files ```bash find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \; ``` #### LXC Container Check if current environment is a LXC container ```bash grep -qa container=lxc /proc/1/environ 2>/dev/null ``` Check if current user is in the lxd group ```bash id | grep -i lxd 2>/dev/null ``` ## TODO Go through and explain why these each check can be helpful. (Some are obvious.) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.dragonsploit.com/linux/privilege-escalation/privesc-scripts/understanding-linenum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.