πEnvironment Enumeration
π― Overview
Environment enumeration is the foundation of successful Linux privilege escalation. After gaining initial access to a Linux host, systematic enumeration helps identify potential attack vectors, misconfigurations, and valuable information that can lead to privilege escalation.
"Enumeration is the key to privilege escalation. Understanding what pieces of information to look for and being able to perform enumeration manually is crucial for success."
π Initial Situational Awareness
Fundamental Orientation Commands
Before diving deep into enumeration, establish basic situational awareness:
# Current user context
whoami # What user are we running as?
id # What groups does our user belong to?
# System identification
hostname # Server name and naming conventions
uname -a # Kernel and system information
# Network position
ifconfig # Network interfaces and subnets
ip a # Alternative network interface command
# Privilege check
sudo -l # Can we run anything with sudo without password?Why This Matters:
Documentation: Screenshots provide evidence of successful RCE
System Identification: Clearly identify the affected system
Quick Wins:
sudo -lcan sometimes provide immediate escalation paths
π Operating System Enumeration
System Version Detection
Check OS Distribution and Version:
Example Output:
Analysis Points:
Distribution Type: Ubuntu, CentOS, Debian, SUSE, etc.
Version Currency: Is the system maintained or end-of-life?
LTS Status: Long Term Support versions typically more secure
Release Lifecycle: Check if version has known vulnerabilities
Alternative OS Detection Methods
βοΈ System Environment Analysis
PATH Variable Examination
Check Current PATH:
Typical Output:
Security Implications:
PATH Hijacking: Writable directories in PATH can be exploited
Custom Paths: Non-standard paths may contain vulnerable binaries
Order Matters: Earlier directories take precedence
Environment Variables
Enumerate All Environment Variables:
Look for Sensitive Information:
Common Sensitive Variables:
Database passwords
API keys
Service credentials
Custom application secrets
π§ Kernel and Hardware Information
Kernel Version Analysis
Get Kernel Information:
Example Output:
Key Information:
Kernel Version: 5.4.0-122-generic
Build Date: Wed Jun 22 15:00:31 UTC 2022
Architecture: x86_64
Distribution: Ubuntu
CPU and Hardware Details
CPU Information:
Memory Information:
Hardware Details:
π Available Shells and Interpreters
Login Shell Enumeration
Available Shells:
Example Output:
Security Considerations:
Shell Vulnerabilities: Older bash versions vulnerable to Shellshock
Restricted Shells: rbash may limit command execution
Session Management: tmux/screen available for persistence
Interpreter Versions: Check for vulnerable versions
Shell Version Checking:
π‘οΈ Security Controls Detection
Identify Active Security Mechanisms
Common Security Tools to Check:
Why This Matters:
Attack Vector Selection: Avoid triggering active defenses
Stealth Considerations: Understand monitoring capabilities
Privilege Requirements: Some enumeration requires elevated privileges
πΎ Storage and File System Analysis
Block Device Enumeration
List Block Devices:
Example Output:
Analysis Points:
Additional Drives: Unmounted drives may contain sensitive data
LVM Configuration: Logical volume management
Loop Devices: Snap packages and containers
USB/External: Removable media
Mounted File Systems
Current Mounts:
File System Table:
Look for:
Credentials in fstab: Embedded passwords for network shares
Unusual Mounts: NFS, SMB shares with interesting permissions
Temporary Mounts: Recently mounted drives
Network Shares:
Unmounted File Systems
Check for Unmounted Devices:
Potential Findings:
Backup Drives: May contain sensitive historical data
Development Partitions: Source code and credentials
Hidden Partitions: Deliberately concealed data
π Network Configuration Analysis
Network Interface Information
Interface Configuration:
Routing Information:
Example Routing Table:
Network Reconnaissance
ARP Table Analysis:
DNS Configuration:
Network Connections:
Why Network Info Matters:
Internal Networks: Identify additional network segments
Domain Environment: DNS servers may indicate Active Directory
Communication Patterns: ARP table shows recent host interactions
Service Discovery: Listening services and their processes
π₯ User and Group Enumeration
User Account Analysis
All System Users:
Extract Usernames:
Users with Shell Access:
Password Hash Formats:
Salted MD5
$1$...
SHA-256
$5$...
SHA-512
$6$...
BCrypt
$2a$...
Scrypt
$7$...
Argon2
$argon2i$...
User Analysis Examples:
Group Membership Analysis
All Groups:
High-Privilege Groups:
Current User Groups:
π Home Directory Investigation
User Home Directories
List Home Directories:
Search for Interesting Files:
Common Sensitive Files:
π Hidden Files and Directories
Comprehensive Hidden File Search
All Hidden Files:
Hidden Directories:
User-Specific Hidden Files:
Common Hidden Configuration Files:
.bashrc,.bash_profile,.profile.vimrc,.nanorc.ssh/config,.ssh/known_hosts.mysql_history,.lesshst.wget-hsts,.gitconfig
π Temporary Files and Directories
Temporary File Analysis
Standard Temporary Directories:
File Retention Policies:
/tmp: Files deleted after 10 days or on reboot/var/tmp: Files retained up to 30 days/dev/shm: In-memory filesystem, lost on reboot
Search for Interesting Temporary Files:
Process-Specific Temp Files:
π Systematic Enumeration Checklist
Phase 1: Basic Orientation
Phase 2: System Information
Phase 3: Environment Analysis
Phase 4: User and Permission Analysis
Phase 5: File System Analysis
Phase 6: Documentation and Analysis
π‘ Key Findings to Look For
High-Impact Discoveries
Immediate Privilege Escalation:
sudo -lshowing passwordless commandsSUID binaries with known exploits
Writable files in PATH
Kernel version with public exploits
Credential Discovery:
Passwords in configuration files
SSH private keys
Database credentials
API keys and tokens
Attack Vector Identification:
Vulnerable services running as root
Misconfigured file permissions
Unpatched software versions
Interesting cron jobs
Network Pivot Opportunities:
Multiple network interfaces
SSH keys for other systems
Database connections
Internal service discovery
β οΈ Common Pitfalls and Considerations
Enumeration Best Practices
Stealth Considerations:
Some commands may generate logs
Avoid running as root unless necessary
Be mindful of file access times
Consider detection mechanisms
System Stability:
Kernel exploits can crash systems
Be careful with production environments
Test in controlled settings first
Have backup access methods
Thoroughness vs. Speed:
Balance comprehensive enumeration with time constraints
Prioritize high-impact areas first
Use automation tools as supplements
Develop efficient manual workflows
π οΈ Automation and Tools
Manual vs. Automated Enumeration
When to Use Manual Enumeration:
Learning and understanding system internals
Customized searches based on findings
Stealth requirements
Limited tool availability
Complementary Automated Tools:
LinPEAS: Comprehensive Linux enumeration
LinEnum: Classic enumeration script
linux-smart-enumeration: Selective enumeration
PEASS-ng: Advanced privilege escalation
Integration Strategy:
Perform initial manual enumeration
Run automated tools for comprehensive coverage
Cross-reference findings
Focus manual investigation on promising vectors
π Next Steps
After completing environment enumeration, proceed to:
Permissions-based Privilege Escalation: File permissions, SUID/SGID
Service-based Privilege Escalation: Running services and processes
Configuration-based Attacks: Misconfigurations and weak settings
Kernel Exploitation: Operating system vulnerabilities
Application-specific Attacks: Vulnerable installed software
Environment enumeration provides the foundation for all subsequent privilege escalation attempts. Thorough initial reconnaissance significantly increases the likelihood of successful privilege escalation and helps identify the most efficient attack paths.
Last updated