📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Globally readable/writable files and folders
  • Files
  • Folders
  • User files enumeration
  • Interesting files
  • SSH keys
  • Config files
  • Log files
  1. Linux PrivEsc
  2. Enumeration

Important files

Globally readable/writable files and folders

Files

Globally readable

find / \( -wholename '/home/*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' \; 2>/dev/null 
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null

No owner

find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null

Folders

Writable by current user or anyone

find / -writable -type d -exec ls -ld '{}' \; 2>/dev/null

User files enumeration

Enumerate home folders

find /home/*/ -type f 2>/dev/null
ls -lah /home/*
ls -lah /home/*/*

Search files globally by user

find / -type f -exec ls -lah '{}' \; 2>/dev/null | grep $(whoami)

Search globally for user-owned folders

find / -type d -exec ls -ld '{}' \; 2>/dev/null | grep $(whoami);

Writable by me

find / -writable -type f -exec ls -lah '{}' \; 2>/dev/null

Interesting files

cat ~/.bash_history
cat ~/.bashrc
cat ~/.profile

cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa

SSH keys

cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

Find SSH keys system-wide

find / -type f -and \( -name "*.key" -or -name "*.pub" -or -name "*rsa*" -or -name "*dsa*" \) -exec ls -lah '{}' \; 2>/dev/null

Config files

Dump config files in current folder

find . -type f -readable -and \( -name "*db*" -or -name ".ht*" -or -name "*conf*" -or -name "*.cnf" -or -name "*.ini" -or -name "*.json" \) -exec ls -lah '{}' \; 2>/dev/null

Search for passwords in config files

find . -type f -readable -and \( -name "*db*" -or -name ".ht*" -or -name "*conf*" -or -name "*.cnf" -or -name "*.ini" -or -name "*.json" \) -exec grep -E ".*pass.*|.*pwd.*|.*cred.*" '{}' \; 2>/dev/null

Search for hashes in config files. Finds md5, SHA1, SHA256, SHA512 with or without salt

find . -type f -readable -and \( -name "*db*" -or -name ".ht*" -or -name "*conf*" -or -name "*.cnf" -or -name "*.ini" -or -name "*.json" \) -exec grep -E "(^|[^a-zA-Z0-9])[a-fA-F0-9=_/\.$]{8,256}([^a-zA-Z0-9]|$)" '{}' \; 2>/dev/null

Log files

ls -lah cat /var/log/
ls -lah /var/log/*/
ls -lah /var/backup/

dump log files in current folder

find . -type f -readable -and \( -name "*.log" -or -name "*log*" \) -exec ls -lah '{}' \; 2>/dev/null
PreviousEnumerationNextMemory Dump

Last updated 2 years ago