search

Enumeration strategies

hashtag
Enumeration strategies

Linux systems present a deceptively simple privilege model compared to Windows, but this simplicity hides numerous attack vectors rooted in file permissions, process inheritance, and configuration mismanagement. The key to successful Linux privilege escalation lies in systematic enumeration that adapts to your current user context and escalates methodically.

Whether you're operating as a web service account like www-data, a database user like mysql, or a restricted shell user, your enumeration approach must adapt to what the system reveals under that specific context.

Enumeration is not a one-time step—it should be repeated after every privilege gain. Each new user context, group membership, or capability unlocks different files, processes, and attack vectors.

hashtag
Enumeration Mindset

  • Always adapt to context. What works for root will not work for www-data, and what mysql can access differs entirely from a standard user account.

  • Repeat enumeration after any privilege or context change—new group memberships unlock different attack paths.

  • Leverage both built-in tools (find, ps, ls) and external tools if allowed (e.g., LinPEAS, LinEnum, pspy).

  • Log everything. The difference between /tmp being writable vs /var/tmp having sticky bit issues can be the key to root access.

  • Focus on file permissions. Unlike Windows registry complexity, Linux attacks center on who can read/write/execute what files.

  • Think in terms of file system hierarchy. Most privilege escalation involves moving up the file system permission chain or hijacking trusted execution paths.

hashtag
1. System Information and Context

Basic System Information

Current User and Groups:

System Details:

Hardware and Environment:

How This Benefits Attack Identification:

  • User Groups: Membership in docker/lxd groups enables container escape attacks

  • Kernel Version: Older kernels vulnerable to known exploits (dirty cow, etc.)

  • Architecture: Ensures exploit compatibility for kernel attacks

  • Environment Variables: LD_PRELOAD/LD_LIBRARY_PATH set for shared library hijacking

  • Distribution: Different distros have different default configurations and paths

hashtag
2. SUID/SGID Binary Discovery

Finding Elevated Binaries

SUID/SGID Binary Enumeration:

Binary Analysis:

How This Benefits Attack Identification:

  • Non-standard SUID binaries: Custom applications often have privilege escalation vulnerabilities

  • Unusual ownership: SUID binaries not owned by root may be exploitable

  • Common exploitable binaries: Programs like nmap, vim, less with SUID can provide shell access

  • Capabilities: Binaries with specific capabilities (CAP_SETUID) can be abused for escalation

hashtag
3. Sudo Configuration Analysis

Sudo Permission Discovery

Current User Sudo Rights:

Sudo Configuration Files:

Advanced Sudo Analysis:

How This Benefits Attack Identification:

  • Wildcard Permissions: sudo rules with wildcards can often be bypassed

  • NOPASSWD Entries: Commands that don't require passwords are prime targets

  • Specific Binary Permissions: sudo access to editors, compilers, or interpreters enables escalation

  • Environment Preservation: sudo configurations that preserve environment variables enable exploitation

hashtag
4. Cron Job and Scheduled Task Analysis

Scheduled Task Discovery

System-wide Cron Jobs:

User Cron Jobs:

Systemd Timers (Modern Alternative to Cron):

Cron Job Permission Analysis:

How This Benefits Attack Identification:

  • Writable Cron Scripts: Scripts with weak permissions can be modified for privilege escalation

  • Root Cron Jobs: Tasks running as root that execute modifiable scripts

  • Path Issues: Cron jobs using relative paths or missing PATH can be hijacked

  • Wildcard Usage: Cron jobs using wildcards in file operations can be exploited

hashtag
5. File and Directory Permission Analysis

Writable Location Discovery

World-Writable Files and Directories:

System Directory Permissions:

Configuration File Hunting:

Backup and Temporary Files:

How This Benefits Attack Identification:

  • Writable System Directories: Enable file replacement attacks and path hijacking

  • World-Writable Files: Direct modification opportunities for privilege escalation

  • Configuration Files: Often contain passwords, API keys, or sensitive information

  • Backup Files: May contain historical credentials or sensitive data

hashtag
6. Process and Service Analysis

Running Process Enumeration

Process Analysis:

Service Analysis:

Network Service Enumeration:

How This Benefits Attack Identification:

  • Root Processes: High-value targets for process injection or exploitation

  • Local Services: Services bound to localhost may have weak authentication

  • Service Accounts: Database and web services often run with elevated privileges

  • Unusual Processes: Custom applications may have privilege escalation vulnerabilities

hashtag
7. Container and Virtualization Analysis

Container Environment Detection

Container Detection:

Container Capability Analysis:

Container Group Membership:

How This Benefits Attack Identification:

  • Container Group Membership: Docker/LXD group membership enables container escape

  • Privileged Containers: Containers with elevated capabilities can be escaped

  • Container Runtime Access: Access to docker.sock or container runtimes enables escape

  • Capability Analysis: Specific capabilities (CAP_SYS_ADMIN) enable various escape techniques

hashtag
8. Network and SSH Configuration

SSH Configuration Analysis

SSH Service Information:

SSH Key Analysis:

Network Configuration:

How This Benefits Attack Identification:

  • SSH Key Access: Found SSH keys enable lateral movement or privilege escalation

  • SSH Configuration: Weak SSH settings may enable authentication bypass

  • Network Shares: Mounted shares may provide access to sensitive files

  • Local Network Services: Internal services may have weak authentication

hashtag
9. Capabilities and Security Features

Linux Capabilities Analysis

Current Process Capabilities:

File Capabilities:

Security Feature Status:

How This Benefits Attack Identification:

  • Dangerous Capabilities: CAP_SETUID, CAP_SYS_ADMIN enable various privilege escalation paths

  • Disabled Security: ASLR disabled makes exploitation easier

  • SELinux/AppArmor: Disabled security modules remove additional protection layers

  • File Capabilities: Binaries with specific capabilities can be abused for escalation

hashtag
10. Environment and Path Analysis

Environment Variable Investigation

Current Environment:

PATH Analysis:

Library Path Analysis:

How This Benefits Attack Identification:

  • Writable PATH Directories: Enable path hijacking attacks by placing malicious binaries

  • LD_PRELOAD Set: Indicates potential for shared library hijacking

  • LD_LIBRARY_PATH Issues: Writable library paths enable library replacement attacks

  • Relative Paths: Current directory in PATH enables local privilege escalation

hashtag
11. Kernel and System Information

Kernel Vulnerability Assessment

Kernel Version Analysis:

System Uptime and Patch Level:

Hardware and Virtualization:

How This Benefits Attack Identification:

  • Kernel Version: Older kernels vulnerable to known exploits (dirty cow, dirty pipe)

  • Missing Mitigations: Kernels without SMEP/SMAP easier to exploit

  • Virtualization: VM environments may have different exploit requirements

  • Long Uptime: Systems not rebooted recently may have unpatched vulnerabilities

PreviousLinux Privilege EscalationNextSUID/SGID binary exploitation

Last updated

Was this helpful?