# Intro - The root account on Linux systems is the ultimate goal as it provides full admin level access to the OS - So if we gain a foothold on a box as a low-privileged user, we endeavor to identify a privesc vector that elevates us to root - Full compromise allows us to capture traffic and access sensitive files, which may be used to further access within the environment - And, if the Linux machine is domain joined, we can gain the NTLM hash and begin enumerating and attacking AD # Enum - Enum is pivotal for privesc - Helper scripts, such asuch as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) and [LinEnum](https://github.com/rebootuser/LinEnum), help with enum ## Key Details to Uncover via Enum - OS version - Kernel version - Running services - Misconfigured or vulnerable service running as root can be an easy win for privesc ## List Current Processes - `ps aux` shows as running processes - `ps aux | grep root` shows processes running as root ## List Current Terminal-Attached Processes - `ps au` - shows user and associated tty for all process ## Home Directories - Navigate through `/home` to see users with home dirs ## SSH Dirs - Look at `~/.ssh` for all users - Gold = `id_rsa` ## BASH History - try `history` - also look at `.bashrc`, etc. ## Sudo privs - use `sudo -l` to list sudo privs for current user ## `/etc/passwd` - `cat` the `/etc/passwd` file to see users and associated shells - may get lucky with a cleartext or hashed password - writeable `/etc/shadow` file also = gold ## cron jobs - These are often set up to perform maintenance and backup tasks - In conjunction with other misconfigs, such as relative paths or weak permissions, they can be leveraged to privesc when the scheduled cron job runs ## Other - Unmounted and additional dirves - SUID and SGID perms - Writeable dirs ```bash find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null ``` - Writable files ```bash find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null ```