This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Enumeration strategies

Linux systems present a deceptively simple privilege model compared to Windows, but this simplicity hides numerous attack vectors rooted in file permissions, process inheritance, and configuration mismanagement. The key to successful Linux privilege escalation lies in systematic enumeration that adapts to your current user context and escalates methodically.

Whether you're operating as a web service account like www-data, a database user like mysql, or a restricted shell user, your enumeration approach must adapt to what the system reveals under that specific context.

Enumeration is not a one-time step—it should be repeated after every privilege gain. Each new user context, group membership, or capability unlocks different files, processes, and attack vectors.

Enumeration Mindset

  • Always adapt to context. What works for root will not work for www-data, and what mysql can access differs entirely from a standard user account.

  • Repeat enumeration after any privilege or context change—new group memberships unlock different attack paths.

  • Leverage both built-in tools (find, ps, ls) and external tools if allowed (e.g., LinPEAS, LinEnum, pspy).

  • Log everything. The difference between /tmp being writable vs /var/tmp having sticky bit issues can be the key to root access.

  • Focus on file permissions. Unlike Windows registry complexity, Linux attacks center on who can read/write/execute what files.

  • Think in terms of file system hierarchy. Most privilege escalation involves moving up the file system permission chain or hijacking trusted execution paths.

1. System Information and Context

Basic System Information

Current User and Groups:

# Current user context
whoami
id
groups
getent passwd $(whoami)

# Check if current user is in interesting groups
groups | grep -E "(wheel|sudo|admin|docker|lxd|disk|video|audio)"

# List all users on system
cat /etc/passwd
getent passwd

# Check for other logged in users
w
who
last

System Details:

# OS information
uname -a
cat /etc/os-release
cat /etc/issue
lsb_release -a

# Architecture and kernel
uname -m
uname -r
cat /proc/version

# Hostname and domain
hostname
hostname -f
cat /etc/hosts
cat /etc/resolv.conf

Hardware and Environment:

# CPU information
cat /proc/cpuinfo
nproc

# Memory information
cat /proc/meminfo
free -h

# Disk information
df -h
lsblk
cat /proc/mounts

# Environment variables
env
printenv
echo $PATH
echo $LD_LIBRARY_PATH
echo $LD_PRELOAD

How This Benefits Attack Identification:

  • User Groups: Membership in docker/lxd groups enables container escape attacks

  • Kernel Version: Older kernels vulnerable to known exploits (dirty cow, etc.)

  • Architecture: Ensures exploit compatibility for kernel attacks

  • Environment Variables: LD_PRELOAD/LD_LIBRARY_PATH set for shared library hijacking

  • Distribution: Different distros have different default configurations and paths

2. SUID/SGID Binary Discovery

Finding Elevated Binaries

SUID/SGID Binary Enumeration:

# Find all SUID binaries
find / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null

# Find all SGID binaries
find / -type f -perm -2000 2>/dev/null
find / -type f -perm -g=s 2>/dev/null

# Find both SUID and SGID
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

# More detailed SUID/SGID search with file info
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null

# Check specific common locations
ls -la /usr/bin/ | grep "^-r.s"
ls -la /usr/sbin/ | grep "^-r.s"
ls -la /bin/ | grep "^-r.s"
ls -la /sbin/ | grep "^-r.s"

Binary Analysis:

# Check if binaries are custom or unusual
find / -type f -perm -4000 2>/dev/null | xargs ls -la | grep -v -E "(sudo|su|passwd|ping|mount|umount)"

# Check binary capabilities (if system supports)
getcap -r / 2>/dev/null

# Verify binary ownership and check for tampering
find / -type f -perm -4000 ! -user root 2>/dev/null

How This Benefits Attack Identification:

  • Non-standard SUID binaries: Custom applications often have privilege escalation vulnerabilities

  • Unusual ownership: SUID binaries not owned by root may be exploitable

  • Common exploitable binaries: Programs like nmap, vim, less with SUID can provide shell access

  • Capabilities: Binaries with specific capabilities (CAP_SETUID) can be abused for escalation

3. Sudo Configuration Analysis

Sudo Permission Discovery

Current User Sudo Rights:

# Check current user's sudo permissions
sudo -l

# Check sudo configuration without password prompt
sudo -n -l 2>/dev/null

# Check if user can run sudo without password
sudo -n true 2>/dev/null && echo "Passwordless sudo available"

# Check sudo version for vulnerabilities
sudo --version

Sudo Configuration Files:

# Main sudo configuration
cat /etc/sudoers 2>/dev/null

# Additional sudo configuration files
cat /etc/sudoers.d/* 2>/dev/null
find /etc/sudoers.d/ -type f 2>/dev/null

# Check for sudo logs
cat /var/log/sudo.log 2>/dev/null
cat /var/log/auth.log | grep sudo 2>/dev/null

Advanced Sudo Analysis:

# Check for sudo group members
getent group sudo
getent group wheel
getent group admin

# Check for wildcard permissions in sudo config
grep -r "ALL" /etc/sudoers* 2>/dev/null
grep -r "\*" /etc/sudoers* 2>/dev/null

# Look for NOPASSWD entries
grep -r "NOPASSWD" /etc/sudoers* 2>/dev/null

How This Benefits Attack Identification:

  • Wildcard Permissions: sudo rules with wildcards can often be bypassed

  • NOPASSWD Entries: Commands that don't require passwords are prime targets

  • Specific Binary Permissions: sudo access to editors, compilers, or interpreters enables escalation

  • Environment Preservation: sudo configurations that preserve environment variables enable exploitation

4. Cron Job and Scheduled Task Analysis

Scheduled Task Discovery

System-wide Cron Jobs:

# System cron directories
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.monthly/
ls -la /etc/cron.weekly/

# Main cron configuration files
cat /etc/crontab
cat /etc/anacrontab 2>/dev/null

# Check all files in cron directories
find /etc/cron* -type f -exec cat {} \; 2>/dev/null

User Cron Jobs:

# Current user's cron jobs
crontab -l

# All user cron jobs (if accessible)
cat /var/spool/cron/crontabs/* 2>/dev/null
ls -la /var/spool/cron/crontabs/ 2>/dev/null

# Check for cron log files
cat /var/log/cron 2>/dev/null
cat /var/log/cron.log 2>/dev/null

Systemd Timers (Modern Alternative to Cron):

# List systemd timers
systemctl list-timers
systemctl list-timers --all

# Check timer configuration files
find /etc/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
find /lib/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null

Cron Job Permission Analysis:

# Check permissions on cron scripts
find /etc/cron* -type f -executable -ls 2>/dev/null

# Look for writable cron scripts
find /etc/cron* -type f -writable 2>/dev/null
find /etc/cron* -type f -perm -002 2>/dev/null

# Check for scripts referenced in cron jobs
grep -r "\.sh\|\.py\|\.pl" /etc/cron* 2>/dev/null

How This Benefits Attack Identification:

  • Writable Cron Scripts: Scripts with weak permissions can be modified for privilege escalation

  • Root Cron Jobs: Tasks running as root that execute modifiable scripts

  • Path Issues: Cron jobs using relative paths or missing PATH can be hijacked

  • Wildcard Usage: Cron jobs using wildcards in file operations can be exploited

5. File and Directory Permission Analysis

Writable Location Discovery

World-Writable Files and Directories:

# Find world-writable directories
find / -type d -perm -002 2>/dev/null

# Find world-writable files
find / -type f -perm -002 2>/dev/null

# Find files writable by current user
find / -type f -writable 2>/dev/null

# Find directories writable by current user
find / -type d -writable 2>/dev/null

System Directory Permissions:

# Check permissions on important system directories
ls -ld /etc /tmp /var/tmp /dev/shm
ls -ld /usr/bin /usr/sbin /bin /sbin
ls -ld /var/log /var/lib /var/run

# Check for writable system directories
find /etc /usr /var -type d -writable 2>/dev/null

# Look for unusual permissions on system files
find /etc -type f -perm -002 2>/dev/null

Configuration File Hunting:

# Common configuration files
find /etc -type f -name "*.conf" 2>/dev/null
find /etc -type f -name "*.cfg" 2>/dev/null
find /etc -type f -name "*.config" 2>/dev/null

# Application configuration directories
ls -la /etc/apache2/ /etc/nginx/ /etc/mysql/ /etc/ssh/ 2>/dev/null

# User configuration files
find /home -name ".*" -type f 2>/dev/null
ls -la ~/.ssh/ ~/.config/ 2>/dev/null

Backup and Temporary Files:

# Look for backup files that might contain credentials
find / -name "*.bak" -o -name "*.backup" -o -name "*~" 2>/dev/null

# Check temporary directories
ls -la /tmp /var/tmp /dev/shm
find /tmp /var/tmp -type f -ls 2>/dev/null

# Look for log files with potential credentials
find /var/log -type f -readable 2>/dev/null

How This Benefits Attack Identification:

  • Writable System Directories: Enable file replacement attacks and path hijacking

  • World-Writable Files: Direct modification opportunities for privilege escalation

  • Configuration Files: Often contain passwords, API keys, or sensitive information

  • Backup Files: May contain historical credentials or sensitive data

6. Process and Service Analysis

Running Process Enumeration

Process Analysis:

# List all running processes
ps aux
ps -ef
pstree

# Processes running as root
ps aux | grep "^root"

# Processes running as current user
ps aux | grep "^$(whoami)"

# Check for interesting processes
ps aux | grep -E "(mysql|postgres|apache|nginx|ssh|docker)"

Service Analysis:

# List running services (systemd)
systemctl list-units --type=service --state=running
systemctl list-units --type=service --state=active

# Traditional service listing
service --status-all
chkconfig --list 2>/dev/null

# Check for interesting services
systemctl status ssh
systemctl status apache2
systemctl status mysql

Network Service Enumeration:

# Check listening ports and services
netstat -tlnp
ss -tlnp
lsof -i

# Check for local-only services
netstat -tlnp | grep "127.0.0.1"
ss -tlnp | grep "127.0.0.1"

# Check for services running on unusual ports
netstat -tlnp | grep -v -E ":22|:80|:443|:25|:53"

How This Benefits Attack Identification:

  • Root Processes: High-value targets for process injection or exploitation

  • Local Services: Services bound to localhost may have weak authentication

  • Service Accounts: Database and web services often run with elevated privileges

  • Unusual Processes: Custom applications may have privilege escalation vulnerabilities

7. Container and Virtualization Analysis

Container Environment Detection

Container Detection:

# Check if running in container
cat /proc/1/cgroup | grep -E "(docker|lxc|kubepods)"
ls -la /.dockerenv 2>/dev/null
cat /.dockerenv 2>/dev/null

# Check container runtime
cat /proc/self/cgroup
systemd-detect-virt

# Look for container-specific files
ls -la /var/run/docker.sock 2>/dev/null
ls -la /var/lib/docker/ 2>/dev/null

Container Capability Analysis:

# Check current process capabilities
cat /proc/self/status | grep Cap
capsh --print

# Check if privileged container
cat /proc/self/status | grep CapEff

Container Group Membership:

# Check for dangerous group memberships
groups | grep -E "(docker|lxd|lxc)"
getent group docker
getent group lxd
getent group lxc

How This Benefits Attack Identification:

  • Container Group Membership: Docker/LXD group membership enables container escape

  • Privileged Containers: Containers with elevated capabilities can be escaped

  • Container Runtime Access: Access to docker.sock or container runtimes enables escape

  • Capability Analysis: Specific capabilities (CAP_SYS_ADMIN) enable various escape techniques

8. Network and SSH Configuration

SSH Configuration Analysis

SSH Service Information:

# SSH service status
systemctl status ssh
ps aux | grep sshd

# SSH configuration files
cat /etc/ssh/sshd_config 2>/dev/null
cat /etc/ssh/ssh_config 2>/dev/null

# Check for interesting SSH settings
grep -E "(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication)" /etc/ssh/sshd_config 2>/dev/null

SSH Key Analysis:

# Check for SSH keys
ls -la ~/.ssh/
cat ~/.ssh/authorized_keys 2>/dev/null
cat ~/.ssh/id_rsa 2>/dev/null
cat ~/.ssh/id_dsa 2>/dev/null
cat ~/.ssh/id_ecdsa 2>/dev/null
cat ~/.ssh/id_ed25519 2>/dev/null

# Look for SSH keys in other locations
find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

Network Configuration:

# Network interfaces and routing
ip addr show
ip route show
cat /etc/network/interfaces 2>/dev/null

# Check for network shares
cat /etc/fstab | grep -E "(nfs|cifs|smbfs)"
mount | grep -E "(nfs|cifs|smbfs)"
showmount -e localhost 2>/dev/null

How This Benefits Attack Identification:

  • SSH Key Access: Found SSH keys enable lateral movement or privilege escalation

  • SSH Configuration: Weak SSH settings may enable authentication bypass

  • Network Shares: Mounted shares may provide access to sensitive files

  • Local Network Services: Internal services may have weak authentication

9. Capabilities and Security Features

Linux Capabilities Analysis

Current Process Capabilities:

# Check current capabilities
cat /proc/self/status | grep Cap
capsh --print

# Decode capability values
capsh --decode=0000003fffffffff

# Check effective capabilities
cat /proc/self/status | grep CapEff

File Capabilities:

# Find files with capabilities
getcap -r / 2>/dev/null

# Check specific dangerous capabilities
find / -type f -exec getcap {} \; 2>/dev/null | grep -E "(cap_setuid|cap_setgid|cap_sys_admin|cap_dac_override)"

# List all capabilities on system
cat /proc/sys/kernel/cap_last_cap

Security Feature Status:

# Check for security modules
cat /proc/sys/kernel/grsecurity/grsec_lock 2>/dev/null
ls /sys/kernel/security/ 2>/dev/null
sestatus 2>/dev/null
aa-status 2>/dev/null

# Check ASLR status
cat /proc/sys/kernel/randomize_va_space

# Check for security hardening
cat /proc/sys/kernel/dmesg_restrict
cat /proc/sys/kernel/kptr_restrict

How This Benefits Attack Identification:

  • Dangerous Capabilities: CAP_SETUID, CAP_SYS_ADMIN enable various privilege escalation paths

  • Disabled Security: ASLR disabled makes exploitation easier

  • SELinux/AppArmor: Disabled security modules remove additional protection layers

  • File Capabilities: Binaries with specific capabilities can be abused for escalation

10. Environment and Path Analysis

Environment Variable Investigation

Current Environment:

# Full environment dump
env
printenv

# Check specific dangerous variables
echo $PATH
echo $LD_LIBRARY_PATH
echo $LD_PRELOAD
echo $PYTHONPATH
echo $PERL5LIB

PATH Analysis:

# Check PATH for writable directories
echo $PATH | tr ':' '\n' | while read dir; do
  if [ -d "$dir" ] && [ -w "$dir" ]; then
    echo "Writable directory in PATH: $dir"
  fi
done

# Check for relative paths in PATH
echo $PATH | grep -E "(^\.:|:\.:|\.$)"

# Check ownership of PATH directories
echo $PATH | tr ':' '\n' | xargs ls -ld 2>/dev/null

Library Path Analysis:

# Check library search paths
ldconfig -p | head -20
cat /etc/ld.so.conf
cat /etc/ld.so.conf.d/* 2>/dev/null

# Check for writable library directories
find /lib /usr/lib /usr/local/lib -type d -writable 2>/dev/null

# Check LD_LIBRARY_PATH if set
if [ -n "$LD_LIBRARY_PATH" ]; then
  echo $LD_LIBRARY_PATH | tr ':' '\n' | while read dir; do
    if [ -d "$dir" ] && [ -w "$dir" ]; then
      echo "Writable library directory: $dir"
    fi
  done
fi

How This Benefits Attack Identification:

  • Writable PATH Directories: Enable path hijacking attacks by placing malicious binaries

  • LD_PRELOAD Set: Indicates potential for shared library hijacking

  • LD_LIBRARY_PATH Issues: Writable library paths enable library replacement attacks

  • Relative Paths: Current directory in PATH enables local privilege escalation

11. Kernel and System Information

Kernel Vulnerability Assessment

Kernel Version Analysis:

# Detailed kernel information
uname -a
cat /proc/version
cat /proc/sys/kernel/version

# Check for specific vulnerable kernels
uname -r | grep -E "(2.6|3.13|4.4|4.8|4.10)"

# Kernel modules
lsmod
cat /proc/modules

System Uptime and Patch Level:

# System uptime (indicates patching frequency)
uptime
cat /proc/uptime

# Check for recently installed packages
ls -la /var/log/dpkg.log* 2>/dev/null
ls -la /var/log/yum.log* 2>/dev/null
rpm -qa --last | head 2>/dev/null

Hardware and Virtualization:

# Check if system is virtualized
systemd-detect-virt
cat /proc/cpuinfo | grep hypervisor
ls -la /sys/class/dmi/id/ 2>/dev/null

# Check for available exploits based on hardware
cat /proc/cpuinfo | grep flags | grep -E "(smep|smap|nx)"

How This Benefits Attack Identification:

  • Kernel Version: Older kernels vulnerable to known exploits (dirty cow, dirty pipe)

  • Missing Mitigations: Kernels without SMEP/SMAP easier to exploit

  • Virtualization: VM environments may have different exploit requirements

  • Long Uptime: Systems not rebooted recently may have unpatched vulnerabilities

PreviousLinux Privilege EscalationNextSUID/SGID binary exploitation

Last updated

Was this helpful?