Linux Privilege Escalation

hostname
- will return hostname of machine
- can provide information about systems role in network
uname -a
- prints system information
- additional details about kernel, useful when searching for potential kernel vulnerabilities
/proc/version
- information about target system process
- kernel version and compilers like gcc
/etc/issue
- information about operating systme
ps
- see running processes on linux system
- -a show all running processes
- ps <process name> show process tree
- ps aux show processes for all users: a, user that launches process: u, processes that are not attached to terminal (x)
env
- show environment variables
sudo -l
- list all commands that current user can run using sudo
ls
- list files
id
- general overview of user privilege levels and groups
/etc/passwd
- contains users on system
- cut to username only using cat /etc/passwd | cut -d ":" -f 1
history
- show shell history
ifconfig
- information about network interfaces on system
- ip route to see network routes
netstat
- shows existing connections
- -a all listening ports and established connections
- -at or -au list TCP and UDP
- -l list ports in listening mode, open and ready to accept connection
- -p to include PID
- -i to show interface statistics
find
- find files
- find . -name *.txt find all files that end with txt in current directory

Methodology:

Research sources:

Google
https://www.linuxkernelcves.com/cves
LES Linux Exploit Suggester, tools like this can generate false positives or false negatives

using find / -type f -perm -04000 -ls 2>/dev/null to list files that have SUID or SGID bit set
can use https://gtfobins.github.io/ to filter binaries that are known to be exploitable when those bits are set