LinEnum
Understanding LinEnum
LinEnum is a Privilege Escalation Checker. Here I will try to breakdown and understand the commands used specifically for information gathering. I am not trying to analyze the script but what it is getting, how it is getting it, and why it is getting it. This script is pretty well commented so much of the work is done for us.
Main Functions
header debug_info system_info user_info environmental_info job_info networking_info services_info software_configs interesting_files docker_checks lxc_container_checks footer
Information Gathering Commands
List of binaries from GTFO Bins
binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'System Info
Get kernel info
uname -a 2>/dev/nullGet kernel info
cat /proc/version 2>/dev/nullGet OS info ```cat /etc/*-release 2>/dev/null
Get hostname
```bash
hostname 2>/dev/nullUser Info
User ID and groups
id 2>/dev/nullGet the last time users logged in
lastlog 2>/dev/null |grep -v "Never" 2>/dev/nullGet users currently logged in
w 2>/dev/nullfor i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null Get all IDs and groups Get adm users (Admin Users)
grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
adm_users=$(echo -e "$grpinfo" | grep "(adm)")
echo $adm_usersCheck for hashes in passwd
grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null/etc/passwd contents
cat /etc/passwd 2>/dev/nullAttempt to read master.passwd
cat /etc/master.passwd 2>/dev/nullAttempt to read /etc/shadow
cat /etc/shadow 2>/dev/nullGet all accounts with UID 0
grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/nullGet sudoers
grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/nullGet sudo permissions without password
echo '' | sudo -S -l -k 2>/dev/nullGet sudo permissions with password
echo $userpassword | sudo -S -l -k 2>/dev/nullChecks if any of the binaries in GTFO Bins can be ran as sudo
echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/nullGet users who have successfully used sudo
find /home -name .sudo_as_admin_successful 2>/dev/nullCheck if root directory is readable
ls -ahl /root/ 2>/dev/nullGet home directory permissions
ls -ahl /home/ 2>/dev/nullGet a list of files writeable but not owned by the current user
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`Get a list of files owned by the current user
`find / -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`List hidden files
find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/nullFind world writable files within /home directories
find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/nullList contents of the current user's home directory
ls -ahl ~ 2>/dev/nullFinds various important ssh files
find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;Check if root can log in via ssh
grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'Environmental
Get Environment Variables
env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/nullCheck if SELinux is enabled
sestatus 2>/dev/nullGet $PATH
echo $PATH 2>/dev/nullGet a list of shells that are available
cat /etc/shells 2>/dev/nullGet the UMASK value
umask -S 2>/dev/null & umask 2>/dev/nullGet the UMASK from /etc/login.defs
grep -i "^UMASK" /etc/login.defs 2>/dev/nullGet Password Policy info
grep "^PASS\_MAX\_DAYS\\|^PASS\_MIN\_DAYS\\|^PASS\_WARN\_AGE\\|^ENCRYPT\_METHOD" /etc/login.defs 2>/dev/nullJobs
Get cron jobs
ls -la /etc/cron* 2>/dev/nullCheck permissions on cron jobs
find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \Get system-wide cron jobs
cat /etc/crontab 2>/dev/nullGet user cron jobs
ls -la /var/spool/cron/crontabs 2>/dev/nulGet anacron jobs
ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/nullGet user anacron jobs
ls -la /var/spool/anacron 2>/dev/nulCheck if any user in /etc/passwd has cronjobs
cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/nullList systemtimers (These are like cronjobs where they perform a task at a given interval.)
systemctl list-timers --all 2>/dev/nullNetworking
Get network interface information
/sbin/ifconfig -a 2>/dev/nullGet network interface information
/sbin/ip a 2>/dev/nullPrint the ARP table
arp -a 2>/dev/nullPrint the ARP table
ip n 2>/dev/nullGet nameservers
grep "nameserver" /etc/resolv.conf 2>/dev/nullGet nameservers
systemd-resolve --status 2>/dev/nullGet default route
route 2>/dev/null | grep defaultGet default route
ip r 2>/dev/null | grep defaultGet listening TCP ports
netstat -ntpl 2>/dev/nullGet listening TCP Ports
ss -t -l -n 2>/dev/nullGet Listening UDP Ports
netstat -nupl 2>/dev/nullGet listening UDP Ports
ss -u -l -n 2>/dev/nullServices
Get all running processes (List list will be limited to what the current user can view)
ps aux 2>/dev/nullGet the process binary path as well as the permissions The awk '!x\[$0\]++' Is a bit confusing but what this is doing is creating a hash table where the current line is the key and the value is incremented by one each time it is referenced. If it is the first time the line is referenced, it gets printed and the count gets incremented by 1; otherwise the line gets ignored.
ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/nullPrints inetd.conf for a manual check for useful information
cat /etc/inetd.conf 2>/dev/nullGet binaries and their permissions from inetd
awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/nullPrint xinetd.conf for manual inspection
cat /etc/xinetd.confCheck if /etc/xinetd.d is in xinetd.conf
grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/nullGet binaries and their permissions from xinetd
awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/nullGet init.d files' permissions
ls -la /etc/init.d 2>/dev/nullCheck if there are any init.d files not owned by root
find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/nullGet file permissions for rc.d/init.d
ls -la /etc/rc.d/init.d 2>/dev/nullCheck if there are any init.d files not owned by root
find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/nullGet file permissions for /usr/rc.d files
ls -la /usr/local/etc/rc.d 2>/dev/nullCheck for rc.d files not owned by root
find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/nullCheck /etc/init permissions
ls -la /etc/init/ 2>/dev/nullCheck for startup scripts not owned by root
find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/nullGet systemd config file permissions
ls -lthR /lib/systemd/ 2>/dev/nullCheck for systemd files not owned by root
find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/nullSoftware
Get Sudo Version
sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/nullGet MySQL version
mysql --version 2>/dev/nullCheck root:root password for mysql
mysqladmin -uroot -proot version 2>/dev/nullGet Postgres version
psql -V 2>/dev/nullChecks connection with several users to different databases
psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep versionGet apache and httpd versions
apache2 -v 2>/dev/null; httpd -v 2>/dev/nullGet the user running apache
grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/nullCheck to see what apace and httpd modules are installed
apache2ctl -M 2>/dev/null; httpd -M 2>/dev/nullFind .htpasswd files and print them out
find / -name .htpasswd -print -exec cat {} \; 2>/dev/nullCheck the contents of default http directories
ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/nullInteresting Files
Check to see if various useful tools are installed
which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/nullCheck to see if compilers are installed
dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc\*' 2>/dev/null| grep gcc 2>/dev/nullLists permissions of some sensitive files that need to be manually checked
ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/nullFind SUID files
find / -perm -4000 -type f 2>/dev/nullFind SUID files that are part of GTFO Bins (assumes the previous command is stored in a variable $allsuid)
find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/nullCheck for SUID files that are world writeable
find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;Check for world writeable SUID files owned by root
find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;Find SGID files
find / -perm -2000 -type f 2>/dev/nullCheck for SGID files that are part of GTFO Bins (assumes that the previous commad is store in a variable $allsgid)
find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/nullCheck for world writeable SGID files
find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;Check for world writeable SGID files owned by root
find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;List all files with POSIX capabilities
getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/nullSearch for capability of users
grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/nullUser Capabilities
if [ "$userswithcaps" ] ; then
#matches the capabilities found associated with users with the current user
matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
if [ "$matchedcaps" ]; then
echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
echo -e "\n"
#matches the files with capapbilities with capabilities associated with the current user
matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
if [ "$matchedfiles" ]; then
echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
echo -e "\n"
#lists the permissions of the files having the same capabilies associated with the current user
matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
echo -e "\n"
if [ "$matchedfilesperms" ]; then
#checks if any of the files with same capabilities associated with the current user is writable
writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
if [ "$writablematchedfiles" ]; then
echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
echo -e "\n"
fi
fi
fi
fi
fiSearch for readable private keys
grep -rl "PRIVATE KEY-----" /home 2>/dev/nullSearch for AWS keys
grep -rli "aws_secret_access_key" /home 2>/dev/nullSearch for git creds
find / -name ".git-credentials" 2>/dev/nullList all world writeable files excluding those in /proc and /sys
find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;List any .plan files
find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;List any .plan files (BSD)
find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;Find and print any .rhost files
find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;Find and print any .rhost files (BSD)
find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;TODO
find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;Print /etc/exports
ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/nullPrint /etc/fstab
cat /etc/fstab 2>/dev/nullLook for creds in /etc/fstab
grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/nullLooking for creds in /etc/fstab round 2
grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/nullSearch conf files for a given keyword stored in $keyword
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/nullSearch php files for a given keyword stored in $keyword
find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/nullSearch log files for a given keyword stored in $keyword
find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/nullSearch ini files for a given keyword stored in $keyword
find / -maxdepth 4 -name \*.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/nullGet all conf files from /etc/
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/nullGet all current user history files
ls -la ~/.*_history 2>/dev/nullAttempt to get root's history
ls -la /root/.*_history 2>/dev/nullFind and print all .bash_history files that are readable
find /home -name .bash_history -print -exec cat {} 2>/dev/null \;Find any .bak files
find / -name *.bak -type f 2</dev/nullCheck if there is any readable mail
ls -la /var/mail 2>/dev/nullCheck if root has mail that can be read by the current user
head /var/mail/root 2>/dev/nullDocker
Check if current environment is a docker instance
grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/nullCheck if docker is installed and if there are any instances
docker --version 2>/dev/null; docker ps -a 2>/dev/nullCheck if the current user is in the docker group
id | grep -i docker 2>/dev/nullFind Dockerfile files
find / -name Dockerfile -exec ls -l {} 2>/dev/null \;Find docker-compose.yml files
find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;LXC Container
Check if current environment is a LXC container
grep -qa container=lxc /proc/1/environ 2>/dev/nullCheck if current user is in the lxd group
id | grep -i lxd 2>/dev/nullTODO
Go through and explain why these each check can be helpful. (Some are obvious.)
Last updated
Was this helpful?