Below is my OSCP Basic Enumeration checklist for privilege escalation:
Most of the reconnaissance steps/ideas mentioned here are what I learned during my OSCP journey from blogs on the Internet.
INDEX
- Windows Enumeration
- Linux Enumeration
Windows Enumeration:
Basic Enumeration
OS Information
systeminfotype c:\windows\system32\eula.txthostnametype c:\windows\inf\layout.inftype c:\windows/System32/license.rtf
Who am I?
whoamiecho %username%
List users/localgroups on the machine
net usersnet localgroup
View user’s information. Check if the user has privileges
net user <user1>View Domain Groups
net group /domainNetwork information
ipconfig /allroute printarp -A
Active network connections
netstat -anoFirewall rules (These netsh commands are only available on Windows XP SP2 and upwards)
netsh firewall show statenetsh firewall show config
All Scheduled tasks, Running processes to started services, Started services, Installed drivers (Some 3rd party drivers, even by reputable companies, contain more holes than Swiss cheese.)
schtasks /query /fo LIST /vtasklist /SVCnet startDRIVERQUERY
Search for cleartext passwords
find /I password *.txt
find /I password *.xml
find /I password *.ini#Find all these strings in config files
dir /s *pass* == *cred* == *vnc* == *.config*#Find password string in all files.
findstr /spin “password” *.*
findstr /spin “password” *.*
These are common files to find passwords. They might be base64-encoded. So look out for that.
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.iniSearch for passwords in Registry
VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Search for ‘password’ in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Weak Service Permissions
If you find a service that has write permissions set to everyone you can change that binary into your custom binary and make it execute in the privileged context.
This can be done using wmci (for newer versions) or sc.exe (for older versions).
WMIC
wmic service list brief
Details steps: https://github.com/xapax/security/blob/master/privilege_escalation_windows.md#weak-service-permissions
Unquoted Service Paths
Find services with unquoted Paths
Detailed steps:
https://github.com/xapax/security/blob/master/privilege_escalation_windows.md#unquoted-service-paths
Linux
Kernel, OS & Device Information
#Can the current user perform anything as root
sudo -l#Print all available system information
uname -a#Kernel release
uname -r#System hostname
uname -n
hostname#Linux Kernel Architecture (32 or 64 bit)
uname -m#Kernel information
cat /proc/version#Distribution information
cat /etc/*-release
cat /etc/issue#CPU information
cat /proc/cpuinfo#File system information
df -a
Users & Groups
#List all users on the system
cat /etc/passwd#List all groups on the system
cat /etc/group#List all UID’s and respective memberships
for i in $(cat /etc/passwd 2>/dev/null| cut -d”:” -f1 2>/dev/null);do id $i;done 2>/dev/null#Show user hashes — (Privileged command)
cat /etc/shadow#List all super user accounts
grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’#Users currently logged in
finger
pinky
users
who -a#Who is currently logged in and what they are doing
w#Listing of last logged on users
last#Information on when all users last logged in
lastlog#Information on when the specified user last logged in
lastlog -u <username>#Entire list of previously logged on users
lastlog | grep -v “Never”
User & Privilege Information
#Current username
whoami#Current user information
id#Who is allowed to do what as root — Privileged command
cat /etc/sudoers#Can the current user perform anything as root
sudo -l#Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
sudo -l 2>/dev/null | grep -w ‘nmap|perl|’awk’|’find’|’bash’|’sh’|’man’|’more’|’less’|’vi’|’vim’|’nc’|’netcat’|python |ruby|lua|irb’ | xargs -r ls -la 2>/dev/null
Environment Information
#Display environmental variables
env
set#Path information
echo $PATH#Displays command history of current user
history#Print working directory, that is, where am I
pwd#Display default system variables
cat /etc/profiles#Display available shells
cat /etc/shells
Service Information
#View services running as root
ps aux | grep root#Lookup process binary path and permissions
ps aux | awk ‘{print $11}’|xargs -r ls -la 2>/dev/null |awk ‘!x[$0]++’#List services managed by inetd
cat /etc/inetd.conf#As above for xinetd
cat /etc/xinetd.conf#A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each
cat /etc/xinetd.conf 2>/dev/null | awk ‘{print $7}’ |xargs -r ls -la 2>/dev/null#Permissions and contents of /etc/exports (NFS)
ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Jobs/Tasks
#Display scheduled jobs for the specified user — Privileged comamand
crontab -l -u <username>#Scheduled jobs overview
ls -la /etc/cron*#What can ‘others’ write in /etc/cron* directories
ls -aRl /etc/cron* | awk ‘$1 ~ /w.$/’ 2>/dev/null#List of current tasks
top
Networking, Routing & Communications
#List of network interfaces
/sbin/ifconfig -a#As above
cat /etc/network/interfaces#Display ARP communications
arp -a#Display route information
route#Display routing table entry. Also to find-out router’s IP address.
ip route #Show configured DNS server addresses
cat /etc/resolv.conf#List all TCP sockets and related PIDs (-p Privileged command)
netstat -antp#List all TCP sockets and related PIDs (-p Privileged command)
netstat -anup#List rules — Privileged command
iptables -L#View port numbers/services mappings
cat /etc/services
Programs Installed
#Installed packages (Debian)
dpkg -l#Installed packages (Red Hat)
rpm -qa#sudo version — does an exploit exist?
sudo -V#Apache version
httpd -v
apache2 -v#List loaded Apache modules
apache2ctl (or apachectl) -M#Installed MYSQL version details
mysql — version#Installed Postgres version details
psql -V#Installed Perl version details
perl -v#Installed Java version details
java -version#Installed Python version details
python — version#Installed Ruby version details
ruby -v#Locate ‘useful’ programs (netcat, wget etc)
find / -name %program_name% 2>/dev/null
(i.e. nc, netcat, wget, nmap etc)
which %program_name% (i.e. nc, netcat, wget, nmap etc)#List available compilers
dpkg — list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed ‘gcc*’ 2>/dev/null| grep gcc 2>/dev/null#Which account is Apache running as
cat /etc/apache2/envvars 2>/dev/null |grep -i ‘user|group’ |awk ‘{sub(/.*export /,””)}1’#Check installed applications, if found search for their exploit
cd /var; ls
Search for interesting files
#Find SUID files
find / -perm -4000 -type f 2>/dev/null#Find SUID files owned by root
find / -uid 0 -perm -4000 -type f 2>/dev/null#Find GUID files
find / -perm -2000 -type f 2>/dev/null#Find world-writable files
find / -perm -2 -type f 2>/dev/null#Find world-writable files excluding those in /proc
find / ! -path “*/proc/*” -perm -2 -type f -print 2>/dev/null#Find world-writable directories
find / -perm -2 -type d 2>/dev/null#Find rhost config files
find /home –name *.rhosts -print 2>/dev/null#Find *.plan files, list permissions and cat the file contents
find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;#Find hosts.equiv, list permissions and cat the file contents
find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;#Check if you can access other user directories to find interesting files
ls -ahlR /root/#Show the current user’s command history
cat ~/.bash_history#Show current user’s various history files
ls -la ~/.*_history#Can we read root’s history files
ls -la /root/.*_history#Check for interesting ssh files in the current user’s directory
ls -la ~/.ssh/#Find SSH keys/host information
find / -name “id_dsa*” -o -name “id_rsa*” -o -name “known_hosts” -o -name “authorized_hosts” -o -name “authorized_keys” 2>/dev/null |xargs -r ls -la#Check Configuration of inetd services
ls -la /usr/sbin/in.*#Check log files for keywords (‘pass’ in this example) and show positive matches
grep -l -i pass /var/log/*.log 2>/dev/null#List files in specified directory (/var/log)
find /var/log -type f -exec ls -la {} ; 2>/dev/null#List .log files in specified directory (/var/log)
find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null#List .conf files in /etc (recursive 1 level)
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null
ls -la /etc/*.conf#Find .conf files (recursive 4 levels) and output the number where the word ‘password’ is located
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null#List open files (output will depend on account privileges)
lsof -I -n#Can we read roots mail
head /var/mail/root#To identify the binary capability files with the help of getcap. Source: https://www.hackingarticles.in/lightweight-hack-the-box-walkthrough/
getcap -r / 2>/dev/null
More Commands: https://recipeforroot.com/bonus-linux-commands/
