Enumeration is one of the key stages of penetration testing. It's the first thing to do when you've compromised a target system as a penetration tester. Although there are a plethora of tools to automate this process, it's always recommended to manually scour through and double-check the system for potential vectors of privilege escalation.

Let's look at the different ways to manually enumerate a Linux system for privilege escalation.

Why Is Enumeration Important for Privilege Escalation?

Privilege escalation, also known as Escalation of Privilege (EOP) is a core component of penetration testing and the penetration testing methodology. As the name suggests, it's a stage when you attempt to elevate your privileges to the administrator or, in Linux systems, the root user.

To gain root privileges, you need to first find a vulnerability in the system. This is where enumeration comes into play. Though there are tools to automate enumeration, more often than not, manual and thorough enumeration can uncover misconfigurations and other vulnerabilities that aren't picked up by tools.

1. System Enumeration

enumerating system information

The first thing you should do after gaining an initial foothold is learn about the system you have established access to. This will help you optimize your payloads to match the architecture and ensure maximum compatibility of your payloads with the target system.

For instance, if you have a 64-bit exploit, you'd need to modify it if your target system only supports 32-bit software as there's a difference between 32-bit and 64-bit systems.

Also, knowing the kernel version will help you hunt for exploits on the web in case you find that the version is outdated and vulnerable to a public exploit. Here are some commands that will help you fetch system information:

To find system information such as kernel version, OS release, etc., type in:

        cat /etc/cpuinfo 
uname -a

If you want to learn more about CPU architecture, use the lscpu command:

        lscpu
    

2. Process Enumeration

enumerating processes on Linux

Processes are programs in execution. Knowing the complete list of processes on a Linux system, coupled with a few other enumeration tactics mentioned in this guide will help you identify potentially vulnerable processes and leverage them to elevate privilege.

For instance, if you find a process running with root privileges, you might be able to inject arbitrary code into it which could lead to successful escalation of privilege.

You can use the ps command with the aux flags to list all the processes in the system:

        ps aux
    

3. Users and Groups Enumeration

enumerating groups on Linux

Users and groups enumeration is important to figure out who has access to which part of the system. Knowing that allows you to scope your targets efficiently and build an effective attack strategy. Moreover, you're able to create proper mappings and understand in-depth the roles and privileges of each account.

Having visibility of privileged accounts allows you to try known username-password combinations. You can print the contents of the /etc/passwd and /etc/group files to access the list of users. Alternatively, you can also use the getent command.

To get the list of users on Linux:

        getent passwd
    

To get the list of groups:

        getent group
    

4. Investigating for Sensitive Files

accessing passwd file

Sensitive files such as /etc/passwd and /etc/shadow can potentially leak a lot of information. From /etc/shadow you can find the hashes of the password of users and attempt to crack them with a hash-cracking tool like Hashcat or John the Ripper.

There's also the /etc/sudoers file, which, if you can edit it somehow, will allow modifying the sudo permissions for users and groups.

5. Checking sudo Permissions

enumerating sudo permissions

Proper management of sudo permissions is crucial to the safety of a Linux system. Analyzing the sudo permissions will grant you insight into potential vectors for privilege escalation. If there are misconfigurations like certain programs have an alarming level of privilege, you might be able to exploit them to gain root access.

This is just an example of the many attack pathways that can open up once you have clarity of the sudo permissions in the Linux system. Another example would be abusing the LD_PRELOAD library preloading mechanism, which you can enumerate by looking at sudo permissions.

        sudo -l
    

6. Finding Linux Kernel Exploits

finding linux kernel exploits

Linux kernel exploits are deadly because they attack the core of the OS running on the compromised system. With a critical kernel flaw, you'll be able to do just about anything with the system.

To find kernel exploits, first, find out the kernel version and then, using a tool like searchsploit or, using Google Dorks, find a suitable exploit affecting the exact version of the kernel running on the system.

7. Exploiting SUID Binaries

enumerating SUID binaries

SUID is the abbreviation for Set Owner User ID upon execution. It is a special type of file permission that, when set, executes a program with the privileges of its owner.

If a program was created by the root user and the SUID bit was set for it, the program, when executed, would possess root privileges. How can SUID be abused? It's simple.

Enumerate for all binaries with SUID bit set, scour through the list, find a binary for which you have write access, and edit its source to add your payload. You can use the find command to look for SUID binaries and redirect standard output to /dev/null:

        find / -perm -4000 2>/dev/null
    

8. Hijacking Libraries

Sometimes there might be programs running on the system that are using libraries that aren't write-protected. In such a scenario, you can easily overwrite the library in use and take control of the program's functionality.

If you get lucky and find a program running as root, you could hijack the library it depends on and potentially get root shell access.

9. Investigating and Hijacking Environment Variables

enumerating environment variables

Environment variables are special types of variables that, to a certain extent, define how the system and programs function. An important environment variable is the PATH variable.

It stores the location of all the executable binaries in the system. You can manipulate the PATH variable and chain it with other vulnerabilities like library hijacking to gain root access.

For instance, suppose there's an executable with a SUID bit set. To function properly, it's calling a binary without defining its full path.

You can take advantage of this by creating a duplicate, malicious version of the binary, and updating the PATH variable with the location of the malicious binary so when the SUID executable is run, your malicious binary will be run as root, and you'll be able to spawn a root shell.

Moreover, there's also a good chance of finding secret keys and passwords by simply looking through the environment variables. You can print all the environment variables using the env command:

        env
    

10. Find Artifacts in Bash History

Oftentimes, the history of the current user won't be deleted. You can abuse this to potentially get access to sensitive information or re-run previous commands with modified parameters.

Though these probably won't lead to privilege escalation, it's a good source of information leaks to give you clarity of what the user usually does on the system.

11. Hijacking Vulnerable Cron Jobs

enumerating cron jobs

Cron jobs are an in-built and highly resourceful feature of Linux. If you've migrated from Windows, a cron job can be directly compared to a scheduled task on Windows.

It runs periodically and executes commands. Both the time when it will run and the commands it will execute are pre-defined by the user. Sometimes you might find a few cron jobs vulnerable to attacks like wildcard injection or are writable by the user you've logged in as.

You can abuse these vulnerabilities to gain root access to the system. To exploit a cron job, you have to first find a vulnerable one. Here are the commands to list currently running cron jobs and other relevant data:

        ls /etc/cron.d/
crontab -l -u <username>

12. Listing Outdated Packages

finding outdated software

When you have established access to a system, one of the first steps you should take is to list all the installed software packages and tally their installed versions with their latest release.

There's a possibility that some obscure package is installed which might not be used much yet is critically vulnerable to a privilege escalation attack. You can then exploit that package to gain root access.

Use the dpkg command with the -l tag to list installed packages on Debian- and Ubuntu-based systems:

        dpkg -l
    

For RHEL/CentOS/Fedora systems, use this command to list installed packages:

        rpm -qa 
    

Now You Know How to Manually Enumerate Linux for Privilege Escalation

Privilege escalation depends solely on enumeration. The more information you have access to, the better you'll be able to plan out your attack strategies.

Efficient enumeration is key to establishing a foothold, escalating privileges, and successfully persisting on your target system. Although doing things manually does help, some of the tasks can be assigned to automated tools to save time and effort. You must know about the best security tools to scan a system for vulnerabilities.