inH1THM

Base Enumeration

Users

Enumerate the current user ID (UID), group ID (GID), and the groups the user belongs to.

id
uid=1001(john) gid=1001(john) groups=1001(john),27(sudo) # john's result

Enumerate basic information of all users using /etc/passwd.

cat /etc/passwd

Enumerate shadow file if is accessible

cat /etc/shadow
unshadow /etc/passwd /etc/shadow
#then try choose jhon

  • Username: The login name (1-32 characters).

  • Password: An x means the password is stored in /etc/shadow.

  • User ID (UID): Unique ID for the user. UID 0 is for root, 1-99 are reserved, and 100-999 are for system accounts.

  • Group ID (GID): The primary group ID, found in /etc/group.

  • User Info (GECOS): Optional user information like full name or contact info.

  • Home Directory: The user's default directory when logging in.

  • Shell: The user's default shell, like /bin/bash, or /sbin/nologin to prevent login.

System

Enumerate hostname.

hostname

Enumerate operating system version

cat /etc/os-release
cat /etc/issue

Enumerate kernel version and architecture.

cat /proc/version
# give information about kernal and compilers (gcc,..etc)
uname -a

User configurations

list sudoer capabilities of current user.

when your write this command the device check file sudoer if u have any permission of root or if u can login with root without password

sudo -l

User vourf may run the following commands on DESKTOP-JE4JGR0:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/lib/win-kex/xrdp/xrdpservice
    (root) NOPASSWD: /usr/lib/win-kex/wslg-sock/wslg-sock

List environment variables.

which we can find tokens, passwords , maybe can u must know PATH inject a malicious file

env

Processes

Enumerate all processes in a user readable format.

ps aux

Monitor Processes.

watch -n 1 "ps -aux | grep pass"

It also possible to monitor running processes at live time using pspy tool.

Network

Enumerate all network interfaces, this includes physical and virtual networks.

ip a
ifconfig

Display the routing tables.

route

Enumerate connections.

ss -anp
netstat -tulnp

Enumerate firewall rules.

cat /etc/iptables/rules.v4

Installed Software

dpkg -l

SSH Keys & History

Check ~/.ssh/, .bash_history, configs (.gitconfig, config.json, etc.)

SUID/SGID Binaries:

find / -perm -4000 2>/dev/null

Writable Directories

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
PreviousWhat is Privilege Escalation?NextLinux Privilege Arena & HTB

Last updated