πEnvironment Enumeration
π― Overview
Environment enumeration is the foundation of successful Linux privilege escalation. After gaining initial access to a Linux host, systematic enumeration helps identify potential attack vectors, misconfigurations, and valuable information that can lead to privilege escalation.
"Enumeration is the key to privilege escalation. Understanding what pieces of information to look for and being able to perform enumeration manually is crucial for success."
π Initial Situational Awareness
Fundamental Orientation Commands
Before diving deep into enumeration, establish basic situational awareness:
# Current user context
whoami # What user are we running as?
id # What groups does our user belong to?
# System identification
hostname # Server name and naming conventions
uname -a # Kernel and system information
# Network position
ifconfig # Network interfaces and subnets
ip a # Alternative network interface command
# Privilege check
sudo -l # Can we run anything with sudo without password?Why This Matters:
Documentation: Screenshots provide evidence of successful RCE
System Identification: Clearly identify the affected system
Quick Wins:
sudo -lcan sometimes provide immediate escalation paths
π Operating System Enumeration
System Version Detection
Check OS Distribution and Version:
cat /etc/os-releaseExample Output:
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focalAnalysis Points:
Distribution Type: Ubuntu, CentOS, Debian, SUSE, etc.
Version Currency: Is the system maintained or end-of-life?
LTS Status: Long Term Support versions typically more secure
Release Lifecycle: Check if version has known vulnerabilities
Alternative OS Detection Methods
# Additional OS information sources
cat /etc/issue
cat /etc/redhat-release # Red Hat/CentOS systems
cat /etc/debian_version # Debian-based systems
lsb_release -a # LSB information (if available)βοΈ System Environment Analysis
PATH Variable Examination
Check Current PATH:
echo $PATHTypical Output:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binSecurity Implications:
PATH Hijacking: Writable directories in PATH can be exploited
Custom Paths: Non-standard paths may contain vulnerable binaries
Order Matters: Earlier directories take precedence
Environment Variables
Enumerate All Environment Variables:
envLook for Sensitive Information:
env | grep -i pass
env | grep -i key
env | grep -i secret
env | grep -i tokenCommon Sensitive Variables:
Database passwords
API keys
Service credentials
Custom application secrets
π§ Kernel and Hardware Information
Kernel Version Analysis
Get Kernel Information:
uname -a
cat /proc/versionExample Output:
Linux nixlpe02 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/LinuxKey Information:
Kernel Version: 5.4.0-122-generic
Build Date: Wed Jun 22 15:00:31 UTC 2022
Architecture: x86_64
Distribution: Ubuntu
CPU and Hardware Details
CPU Information:
lscpuMemory Information:
free -h
cat /proc/meminfoHardware Details:
lshw -short # Hardware overview
dmidecode -t system # System information (requires root)π Available Shells and Interpreters
Login Shell Enumeration
Available Shells:
cat /etc/shellsExample Output:
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
/usr/bin/tmux
/usr/bin/screenSecurity Considerations:
Shell Vulnerabilities: Older bash versions vulnerable to Shellshock
Restricted Shells: rbash may limit command execution
Session Management: tmux/screen available for persistence
Interpreter Versions: Check for vulnerable versions
Shell Version Checking:
bash --version
/bin/sh --version
which python python3 perl rubyπ‘οΈ Security Controls Detection
Identify Active Security Mechanisms
Common Security Tools to Check:
# Firewall Status
iptables -L 2>/dev/null
ufw status 2>/dev/null
firewall-cmd --state 2>/dev/null
# SELinux Status
sestatus 2>/dev/null
getenforce 2>/dev/null
# AppArmor Status
apparmor_status 2>/dev/null
aa-status 2>/dev/null
# Fail2Ban
systemctl status fail2ban 2>/dev/null
fail2ban-client status 2>/dev/null
# Process monitoring
ps aux | grep -E "(snort|aide|tripwire|rkhunter|chkrootkit)"Why This Matters:
Attack Vector Selection: Avoid triggering active defenses
Stealth Considerations: Understand monitoring capabilities
Privilege Requirements: Some enumeration requires elevated privileges
πΎ Storage and File System Analysis
Block Device Enumeration
List Block Devices:
lsblkExample Output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
ββsda1 8:1 0 1M 0 part
ββsda2 8:2 0 1G 0 part /boot
ββsda3 8:3 0 19G 0 part
ββubuntu--vg-ubuntu--lv 253:0 0 18G 0 lvm /
sr0 11:0 1 908M 0 rom
loop0 7:0 0 55M 1 loop /snap/core18/1705Analysis Points:
Additional Drives: Unmounted drives may contain sensitive data
LVM Configuration: Logical volume management
Loop Devices: Snap packages and containers
USB/External: Removable media
Mounted File Systems
Current Mounts:
mount
df -hFile System Table:
cat /etc/fstabLook for:
Credentials in fstab: Embedded passwords for network shares
Unusual Mounts: NFS, SMB shares with interesting permissions
Temporary Mounts: Recently mounted drives
Network Shares:
cat /etc/fstab | grep -E "(cifs|nfs|smbfs)"Unmounted File Systems
Check for Unmounted Devices:
cat /etc/fstab | grep -v "#" | column -t
fdisk -l 2>/dev/nullPotential Findings:
Backup Drives: May contain sensitive historical data
Development Partitions: Source code and credentials
Hidden Partitions: Deliberately concealed data
π Network Configuration Analysis
Network Interface Information
Interface Configuration:
ifconfig -a
ip addr show
ip link showRouting Information:
route -n
ip route show
netstat -rnExample Routing Table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 ens192
10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ens192Network Reconnaissance
ARP Table Analysis:
arp -a
ip neigh showDNS Configuration:
cat /etc/resolv.confNetwork Connections:
netstat -tulpn
ss -tulpn
lsof -iWhy Network Info Matters:
Internal Networks: Identify additional network segments
Domain Environment: DNS servers may indicate Active Directory
Communication Patterns: ARP table shows recent host interactions
Service Discovery: Listening services and their processes
π₯ User and Group Enumeration
User Account Analysis
All System Users:
cat /etc/passwdExtract Usernames:
cat /etc/passwd | cut -f1 -d:Users with Shell Access:
grep "sh$" /etc/passwdPassword Hash Formats:
Salted MD5
$1$...
SHA-256
$5$...
SHA-512
$6$...
BCrypt
$2a$...
Scrypt
$7$...
Argon2
$argon2i$...
User Analysis Examples:
# Check for users with login shells
grep -E "/bin/(bash|sh|zsh|csh|tcsh|fish)$" /etc/passwd
# Look for service accounts
grep -E "daemon|www-data|nginx|apache|mysql|postgres" /etc/passwd
# Find recently created users (high UID numbers)
awk -F: '$3 >= 1000 {print $1":"$3}' /etc/passwdGroup Membership Analysis
All Groups:
cat /etc/groupHigh-Privilege Groups:
# sudo group members
getent group sudo
# admin group members
getent group admin
# wheel group (on some systems)
getent group wheel
# docker group (container access)
getent group dockerCurrent User Groups:
groups
idπ Home Directory Investigation
User Home Directories
List Home Directories:
ls -la /homeSearch for Interesting Files:
# Configuration files
find /home -name ".*rc" -type f 2>/dev/null
find /home -name "*.conf" -type f 2>/dev/null
# History files
find /home -name "*history*" -type f 2>/dev/null
# SSH keys
find /home -name "id_*" -type f 2>/dev/null
find /home -name "authorized_keys" -type f 2>/dev/null
# Scripts and automation
find /home -name "*.sh" -type f 2>/dev/null
find /home -name "*.py" -type f 2>/dev/nullCommon Sensitive Files:
# Check readable bash history
ls -la /home/*/.bash_history
# Look for notes and documentation
find /home -name "*note*" -type f 2>/dev/null
find /home -name "*password*" -type f 2>/dev/null
find /home -name "*cred*" -type f 2>/dev/nullπ Hidden Files and Directories
Comprehensive Hidden File Search
All Hidden Files:
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | head -20Hidden Directories:
find / -type d -name ".*" -ls 2>/dev/nullUser-Specific Hidden Files:
find /home -type f -name ".*" -exec ls -l {} \; 2>/dev/nullCommon Hidden Configuration Files:
.bashrc,.bash_profile,.profile.vimrc,.nanorc.ssh/config,.ssh/known_hosts.mysql_history,.lesshst.wget-hsts,.gitconfig
π Temporary Files and Directories
Temporary File Analysis
Standard Temporary Directories:
ls -la /tmp
ls -la /var/tmp
ls -la /dev/shmFile Retention Policies:
/tmp: Files deleted after 10 days or on reboot/var/tmp: Files retained up to 30 days/dev/shm: In-memory filesystem, lost on reboot
Search for Interesting Temporary Files:
# Recently created files
find /tmp -type f -mtime -1 2>/dev/null
find /var/tmp -type f -mtime -1 2>/dev/null
# Files containing sensitive keywords
grep -r -i "password\|secret\|key" /tmp/ 2>/dev/null
grep -r -i "password\|secret\|key" /var/tmp/ 2>/dev/nullProcess-Specific Temp Files:
# Look for application-specific temp directories
ls -la /tmp/ | grep -E "(apache|nginx|mysql|postgres|ssh)"
ls -la /var/tmp/ | grep -E "(systemd|service)"π Systematic Enumeration Checklist
Phase 1: Basic Orientation
Phase 2: System Information
Phase 3: Environment Analysis
Phase 4: User and Permission Analysis
Phase 5: File System Analysis
Phase 6: Documentation and Analysis
π‘ Key Findings to Look For
High-Impact Discoveries
Immediate Privilege Escalation:
sudo -lshowing passwordless commandsSUID binaries with known exploits
Writable files in PATH
Kernel version with public exploits
Credential Discovery:
Passwords in configuration files
SSH private keys
Database credentials
API keys and tokens
Attack Vector Identification:
Vulnerable services running as root
Misconfigured file permissions
Unpatched software versions
Interesting cron jobs
Network Pivot Opportunities:
Multiple network interfaces
SSH keys for other systems
Database connections
Internal service discovery
β οΈ Common Pitfalls and Considerations
Enumeration Best Practices
Stealth Considerations:
Some commands may generate logs
Avoid running as root unless necessary
Be mindful of file access times
Consider detection mechanisms
System Stability:
Kernel exploits can crash systems
Be careful with production environments
Test in controlled settings first
Have backup access methods
Thoroughness vs. Speed:
Balance comprehensive enumeration with time constraints
Prioritize high-impact areas first
Use automation tools as supplements
Develop efficient manual workflows
π οΈ Automation and Tools
Manual vs. Automated Enumeration
When to Use Manual Enumeration:
Learning and understanding system internals
Customized searches based on findings
Stealth requirements
Limited tool availability
Complementary Automated Tools:
LinPEAS: Comprehensive Linux enumeration
LinEnum: Classic enumeration script
linux-smart-enumeration: Selective enumeration
PEASS-ng: Advanced privilege escalation
Integration Strategy:
Perform initial manual enumeration
Run automated tools for comprehensive coverage
Cross-reference findings
Focus manual investigation on promising vectors
π Next Steps
After completing environment enumeration, proceed to:
Permissions-based Privilege Escalation: File permissions, SUID/SGID
Service-based Privilege Escalation: Running services and processes
Configuration-based Attacks: Misconfigurations and weak settings
Kernel Exploitation: Operating system vulnerabilities
Application-specific Attacks: Vulnerable installed software
Environment enumeration provides the foundation for all subsequent privilege escalation attempts. Thorough initial reconnaissance significantly increases the likelihood of successful privilege escalation and helps identify the most efficient attack paths.
Last updated