This blog is largely forked from the g0tmi1k’s blog https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Thanks, G0tm1lk for your amazing contribution to the industry.
What’s the distribution type? What version?
What’s the kernel version? Is it 64-bit?
What can be learned from the environmental variables?
Is there a printer?
Applications & Services
What services are running? Which service has which user privilege?
Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!
What applications are installed? What version are they? Are they currently running?
Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
What jobs are scheduled?
Any plain text usernames and/or passwords?
Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
What other users & hosts are communicating with the system?
Whats cached? IP and/or MAC addresses
Is packet sniffing possible? What can be seen? Listen to live traffic
Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
What sensitive files can be found?
Anything “interesting” in the home directories? If it’s possible to access
Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
What has the user is doing? Is there any password in plain text? What have they been editing?
What user information can be found?
Can private-key information be found?
Which configuration files can be written in /etc/? Able to reconfigure a service?
What can be found in /var/?
Any settings/files (hidden) on the website? Any settings file with database information?
Is there anything in the log file(s) (Could help with “Local File Includes”!)
How are file-systems mounted?
Are there any unmounted file-systems?
What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID
# Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, a list with more detail and hide any errors (e.g. permission denied)
Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm
Any “problem” files? Word-writeable, “nobody” files
Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
How can files be uploaded?