Table of Contents
π Manual Enumeration Commands (Linux)
- 1. Find binaries with special permissions
- 2. Check binary capabilities
- 3. List all running processes
- 4. List listening TCP sockets and their associated processes
- 5. Review scheduled tasks (cron jobs)
- 6. Find writable directories and files
- 7. Find files that may contain passwords
- 8. Find files belonging to a specific group
π Useful Tools for Privilege Escalation on Linux
π Manual Enumeration Commands (Linux)
1. Find binaries with special permissions
SUID binaries (execute with the file ownerβs privileges):
find / -type f -perm -4000 -ls 2>/dev/null
find / -perm -u=s 2>/dev/null
SGID binaries (execute with the groupβs privileges):
find / -type f -perm -g+s 2>/dev/null
2. Check binary capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
3. List all running processes
ps -faux
4. List listening TCP sockets and their associated processes
ss -nltp
5. Review scheduled tasks (cron jobs)
cat /etc/crontab
6. Find writable directories and files
Writable directories:
find / -type d -writable | grep -v -E "proc|dev"
Writable files:
find / -type f -writable | grep -v -E "proc|dev"
Writable files excluding system directories
find / -writable ! -path '/proc*' ! -path '/run*' ! -path '/sys*' ! -path '/dev*' -type f 2>/dev/null
7. Find files that may contain passwords
Search text files for keywords like password or secret:
grep -r -i "password\|secret" / 2>/dev/null
Just list filenames that contain these keywords:
grep -rl -i "password\|secret" / 2>/dev/null
8. Find files belonging to a specific group
Find all files and folders of a group
find / -group groupname 2>/dev/null
Limit search to home and var folders:
find /home /var -group groupname 2>/dev/null
π Useful Tools for Privilege Escalation on Linux
πΎ LinPEAS
Scans the system for possible escalation vectors, including insecure configurations, SUID binaries, running processes, and more.
π GitHub Repository
Download:
wget -q https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
π§° Linux Smart Enumeration (LSE)
A script that enumerates system configurations and potential privilege escalation paths efficiently.
π GitHub Repository
Download:
wget "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -O lse.sh;chmod 700 lse.sh
or
curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh
π pspy
Monitors running processes in real-time without requiring elevated privileges; useful for detecting scheduled tasks or suspicious activity.
π GitHub Repository
Download:
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
π GTFOBins
Not a tool, but an essential reference listing SUID binaries that can be abused for privilege escalation.
π Official Site
β οΈ Linux Exploit Suggester
Helps identify potential kernel exploits applicable to the system version.
π GitHub Repository
Download:
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh