LinEnum

Understanding LinEnum

LinEnum is a Privilege Escalation Checker. Here I will try to breakdown and understand the commands used specifically for information gathering. I am not trying to analyze the script but what it is getting, how it is getting it, and why it is getting it. This script is pretty well commented so much of the work is done for us.

Main Functions

header debug_info system_info user_info environmental_info job_info networking_info services_info software_configs interesting_files docker_checks lxc_container_checks footer

Information Gathering Commands

List of binaries from GTFO Bins

binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'

System Info

Get kernel info

uname -a 2>/dev/null

Get kernel info

cat /proc/version 2>/dev/null

Get OS info ```cat /etc/*-release 2>/dev/null

Get hostname
```bash
hostname 2>/dev/null

User Info

User ID and groups

id 2>/dev/null

Get the last time users logged in

lastlog 2>/dev/null |grep -v "Never" 2>/dev/null

Get users currently logged in

w 2>/dev/null

for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null Get all IDs and groups Get adm users (Admin Users)

grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
adm_users=$(echo -e "$grpinfo" | grep "(adm)")
echo $adm_users

Check for hashes in passwd

grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null

/etc/passwd contents

cat /etc/passwd 2>/dev/null

Attempt to read master.passwd

cat /etc/master.passwd 2>/dev/null

Attempt to read /etc/shadow

cat /etc/shadow 2>/dev/null

Get all accounts with UID 0

grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null

Get sudoers

grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null

Get sudo permissions without password

echo '' | sudo -S -l -k 2>/dev/null

Get sudo permissions with password

echo $userpassword | sudo -S -l -k 2>/dev/null

Checks if any of the binaries in GTFO Bins can be ran as sudo

echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null

Get users who have successfully used sudo

find /home -name .sudo_as_admin_successful 2>/dev/null

Check if root directory is readable

ls -ahl /root/ 2>/dev/null

Get home directory permissions

ls -ahl /home/ 2>/dev/null

Get a list of files writeable but not owned by the current user

find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`

Get a list of files owned by the current user

`find / -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`

List hidden files

find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null

Find world writable files within /home directories

find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null

List contents of the current user's home directory

ls -ahl ~ 2>/dev/null

Finds various important ssh files

find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;

Check if root can log in via ssh

grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print  $2}'

Environmental

Get Environment Variables

env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null

Check if SELinux is enabled

sestatus 2>/dev/null

Get $PATH

echo $PATH 2>/dev/null

Get a list of shells that are available

cat /etc/shells 2>/dev/null

Get the UMASK value

umask -S 2>/dev/null & umask 2>/dev/null

Get the UMASK from /etc/login.defs

grep -i "^UMASK" /etc/login.defs 2>/dev/null

Get Password Policy info

grep "^PASS\_MAX\_DAYS\\|^PASS\_MIN\_DAYS\\|^PASS\_WARN\_AGE\\|^ENCRYPT\_METHOD" /etc/login.defs 2>/dev/null

Jobs

Get cron jobs

ls -la /etc/cron* 2>/dev/null

Check permissions on cron jobs

find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \

Get system-wide cron jobs

cat /etc/crontab 2>/dev/null

Get user cron jobs

ls -la /var/spool/cron/crontabs 2>/dev/nul

Get anacron jobs

ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null

Get user anacron jobs

ls -la /var/spool/anacron 2>/dev/nul

Check if any user in /etc/passwd has cronjobs

cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null

List systemtimers (These are like cronjobs where they perform a task at a given interval.)

systemctl list-timers --all 2>/dev/null

Networking

Get network interface information

/sbin/ifconfig -a 2>/dev/null

Get network interface information

/sbin/ip a 2>/dev/null

Print the ARP table

arp -a 2>/dev/null

Print the ARP table

ip n 2>/dev/null

Get nameservers

grep "nameserver" /etc/resolv.conf 2>/dev/null

Get nameservers

systemd-resolve --status 2>/dev/null

Get default route

route 2>/dev/null | grep default

Get default route

ip r 2>/dev/null | grep default

Get listening TCP ports

netstat -ntpl 2>/dev/null

Get listening TCP Ports

ss -t -l -n 2>/dev/null

Get Listening UDP Ports

netstat -nupl 2>/dev/null

Get listening UDP Ports

ss -u -l -n 2>/dev/null

Services

Get all running processes (List list will be limited to what the current user can view)

ps aux 2>/dev/null

Get the process binary path as well as the permissions The awk '!x\[$0\]++' Is a bit confusing but what this is doing is creating a hash table where the current line is the key and the value is incremented by one each time it is referenced. If it is the first time the line is referenced, it gets printed and the count gets incremented by 1; otherwise the line gets ignored.

ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null

Prints inetd.conf for a manual check for useful information

cat /etc/inetd.conf 2>/dev/null

Get binaries and their permissions from inetd

awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null

Print xinetd.conf for manual inspection

cat /etc/xinetd.conf

Check if /etc/xinetd.d is in xinetd.conf

grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null

Get binaries and their permissions from xinetd

awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null

Get init.d files' permissions

ls -la /etc/init.d 2>/dev/null

Check if there are any init.d files not owned by root

find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null

Get file permissions for rc.d/init.d

ls -la /etc/rc.d/init.d 2>/dev/null

Check if there are any init.d files not owned by root

find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null

Get file permissions for /usr/rc.d files

ls -la /usr/local/etc/rc.d 2>/dev/null

Check for rc.d files not owned by root

find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null

Check /etc/init permissions

ls -la /etc/init/ 2>/dev/null

Check for startup scripts not owned by root

find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null

Get systemd config file permissions

ls -lthR /lib/systemd/ 2>/dev/null

Check for systemd files not owned by root

find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null

Software

Get Sudo Version

sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null

Get MySQL version

mysql --version 2>/dev/null

Check root:root password for mysql

mysqladmin -uroot -proot version 2>/dev/null

Get Postgres version

psql -V 2>/dev/null

Checks connection with several users to different databases

psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version
psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version

Get apache and httpd versions

apache2 -v 2>/dev/null; httpd -v 2>/dev/null

Get the user running apache

grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null

Check to see what apace and httpd modules are installed

apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null

Find .htpasswd files and print them out

find / -name .htpasswd -print -exec cat {} \; 2>/dev/null

Check the contents of default http directories

ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null

Interesting Files

Check to see if various useful tools are installed

which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null

Check to see if compilers are installed

dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc\*' 2>/dev/null| grep gcc 2>/dev/null

Lists permissions of some sensitive files that need to be manually checked

ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null

Find SUID files

find / -perm -4000 -type f 2>/dev/null

Find SUID files that are part of GTFO Bins (assumes the previous command is stored in a variable $allsuid)

find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null

Check for SUID files that are world writeable

find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;

Check for world writeable SUID files owned by root

find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;

Find SGID files

find / -perm -2000 -type f 2>/dev/null

Check for SGID files that are part of GTFO Bins (assumes that the previous commad is store in a variable $allsgid)

find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null

Check for world writeable SGID files

find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;

Check for world writeable SGID files owned by root

find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;

List all files with POSIX capabilities

getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null

Search for capability of users

grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/null

User Capabilities

if [ "$userswithcaps" ] ; then
#matches the capabilities found associated with users with the current user
matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
    if [ "$matchedcaps" ]; then
        echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
        echo -e "\n"
        #matches the files with capapbilities with capabilities associated with the current user
        matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
        if [ "$matchedfiles" ]; then
            echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
            echo -e "\n"
            #lists the permissions of the files having the same capabilies associated with the current user
            matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
            echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
            echo -e "\n"
            if [ "$matchedfilesperms" ]; then
                #checks if any of the files with same capabilities associated with the current user is writable
                writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
                if [ "$writablematchedfiles" ]; then
                    echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
                    echo -e "\n"
                fi
            fi
        fi
    fi
fi

Search for readable private keys

grep -rl "PRIVATE KEY-----" /home 2>/dev/null

Search for AWS keys

grep -rli "aws_secret_access_key" /home 2>/dev/null

Search for git creds

find / -name ".git-credentials" 2>/dev/null

List all world writeable files excluding those in /proc and /sys

find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;

List any .plan files

find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;

List any .plan files (BSD)

find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;

Find and print any .rhost files

find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;

Find and print any .rhost files (BSD)

find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;

TODO

find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;

Print /etc/exports

ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

Print /etc/fstab

cat /etc/fstab 2>/dev/null

Look for creds in /etc/fstab

grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null

Looking for creds in /etc/fstab round 2

grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null

Search conf files for a given keyword stored in $keyword

find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null

Search php files for a given keyword stored in $keyword

find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null

Search log files for a given keyword stored in $keyword

find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null

Search ini files for a given keyword stored in $keyword

find / -maxdepth 4 -name \*.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/null

Get all conf files from /etc/

find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null

Get all current user history files

ls -la ~/.*_history 2>/dev/null

Attempt to get root's history

ls -la /root/.*_history 2>/dev/null

Find and print all .bash_history files that are readable

find /home -name .bash_history -print -exec cat {} 2>/dev/null \;

Find any .bak files

find / -name *.bak -type f 2</dev/null

Check if there is any readable mail

ls -la /var/mail 2>/dev/null

Check if root has mail that can be read by the current user

head /var/mail/root 2>/dev/null

Docker

Check if current environment is a docker instance

grep -i docker /proc/self/cgroup  2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null

Check if docker is installed and if there are any instances

docker --version 2>/dev/null; docker ps -a 2>/dev/null

Check if the current user is in the docker group

id | grep -i docker 2>/dev/null

Find Dockerfile files

find / -name Dockerfile -exec ls -l {} 2>/dev/null \;

Find docker-compose.yml files

find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;

LXC Container

Check if current environment is a LXC container

grep -qa container=lxc /proc/1/environ 2>/dev/null

Check if current user is in the lxd group

id | grep -i lxd 2>/dev/null

TODO

Go through and explain why these each check can be helpful. (Some are obvious.)

PreviousPrivilege Escalation Scripts NextHosting Files

Last updated 4 years ago

Was this helpful?