Privilege Escalation for Linux machines before running scripts like linpeas Link to heading

I am trying explain the few commands which i use before i use any privilege escalation scripts like linpeas,linenum etc.

Sudo Privilege Link to heading

Check for any commands which are enabled with Sudo privilege and no password required to run. Remember that some time, you may have to erminate and re-initiate existing session, if no suo command is enabled.

Command to check : sudo -l( below no commands have sudo enabled and i had to press CNTRL-Z and exit the existing shell)

sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data:

Search for any unknown SUID/SGID enabled Link to heading

look for files with SUID/SGID enabled. I use linpeas for this some time if you are not sure. This will show if any unknown SUID files are found than the usual one in linux machines.

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null


/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/at
/bin/ping6
/bin/ping
/bin/mount
/bin/umount
/bin/ntfs-3g
/bin/su
/bin/fusermount
www-data@nineveh:/tmp$ find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/bin/bsd-write
/usr/bin/screen
/usr/bin/chage
/usr/bin/mlocate
/usr/bin/ssh-agent
/usr/bin/crontab
/usr/bin/at
/usr/bin/expiry
/usr/bin/wall

Step-Search for any Mails Link to heading

ls /var/spool/mail
amrois
cat /var/spool/mail/amrois
From root@nineveh.htb  Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
        id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)

Step-Search for locally running services Link to heading

You might have found some services running from nmap scan initally. Once you get a initail shell check for any exploitable services which runs locally.

netstat -anlp
netstat -ano

Refer some sample output which shows 22,80,443.

priv priv

In the nmap results only 80 and 443 was shown to me. i could see additinally port 22 is also running locally. This can be exploited in multiple ways like tunneling or some hints provided for each machine.