Skip to main content

Quick Checks before escalation

If I just got a shell, what are the FIRST things I run to find privesc fast?

1. Capability Check

Use this Below command to quickly check your capabilities on the machine.

for cmd in gcc cc python perl python3 python2 wget curl fetch nc ncat nc.traditional socat; do which $cmd >/dev/null 2>&1 && echo "[✔] $cmd: $(which $cmd)" || echo "[✘] $cmd: Not found"; done

tip

If you are not able to execute above one liner you can use which command to check for capabilites one by one such as which python.Knowing capabilites will help you to select the type of exploits that can be execute in the machine

After you know your capabilites you can use below commands to spawn a TTY shell

Get into tty shell

Python TTY shell

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

Perl TTY shell

perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";

Ruby TTY shell

perl -e “exec ‘/bin/bash’;”
info

Some times in restricted environment you might not be able to execute the above commands so you have to be creative and keep looking for other options across the internet, Keep Trying.

2. System And User enum

id
whoami
hostname
uname -a
cat /etc/os-release

# Check for kernel exploits

3. Sudo Misconfiguration

sudo -l

If allowed → GTFOBins

4. SUID Binaries

find / -perm -4000 -type f 2>/dev/null

Look for exploitable binaries

5. Writable Files/ Directories

find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null

Writable dirs (scripts, configs) Writable files (/etc/passwd?)

6. Cron Jobs

cat /etc/crontab
ls -la /etc/cron*

_Root cron + writable scripts _

7. Path Hijacking

echo $PATH

Writable dir in PATH → hijack

8. Running Process

ps aux

Root processes → custom scripts

9. Network & Services

netstat -tulnp
ss -tulnp

Internal services (root?)

10. More Enum If above does not work

# Current user context
id && whoami                    # Groups → sudo, docker, lxd, adm
# Home dirs & creds
ls -la ~                        # SSH keys, creds, history files
# Bash history
cat ~/.bash_history            # Passwords / commands leakage
# SSH keys (lateral / privesc)
ls -la /home/*/.ssh/           # Private keys reuse
# /etc/passwd (write check)
ls -l /etc/passwd              # Writable → add root user
# NFS mounts
cat /etc/exports               # no_root_squash → root access
mount                          # Mounted shares
# Docker
groups                         # docker group → root
docker ps                      # If accessible → escape
# LXD
id                             # lxd group → container escape
# Sudo version (CVE)
sudo -V                        # Check for known exploits
# Env variables
env                            # Credentials / tokens
# Interesting files
find / -name "*.bak" -o -name "*.old" 2>/dev/null   # Backup files

# Logs
ls -la /var/log                # Credentials / misconfigs
# World-readable files
find / -readable -type f 2>/dev/null  # Sensitive data
# Focused credential hunt
grep -RiE "password|passwd|pwd|secret|key" /etc /opt /var 2>/dev/null

# Web + app creds
grep -Ri "DB_" /var/www 2>/dev/null

# Quick loot dirs
ls -la /opt /srv /var/www
# Mounted FS
df -h                          # Unusual mounts
# Sockets / IPC
ls -la /tmp                    # Writable + sockets abuse