SYSTEM INFORMATION

OS and kernel version

Check for kernel exploits — Old kernels = easy root

uname -a
cat /etc/os-release
cat /etc/issue
Example Output
uname -a
Linux target 4.15.0-20-generic #21-Ubuntu SMP x86_64
(Search: Linux 4.15.0-20 exploit -> DirtyCow, etc)

Who am I / groups

Current user context — docker/lxd/disk groups = root

id
whoami
groups
Example Output
uid=33(www-data) gid=33(www-data) groups=33(www-data)
OR: uid=1000(john) gid=1000(john) groups=1000(john),999(docker)
(docker group = instant root!)

All users

Users with shells — Identify targets for lateral movement

cat /etc/passwd
cat /etc/passwd | grep -v nologin | grep -v false
Example Output
cat /etc/passwd | grep -v nologin | grep -v false
root:x:0:0:root:/root:/bin/bash
admin:x:1000:1000:Admin:/home/admin:/bin/bash
john:x:1001:1001::/home/john:/bin/bash
(Users with actual shell access)

Readable /etc/shadow

If readable = crack hashes — Should not be world-readable

cat /etc/shadow 2>/dev/null
Example Output
cat /etc/shadow
root:$6$rounds=5000$salt$hashhere:19000:0:99999:7:::
admin:$6$salt2$anotherhash:19000:0:99999:7:::
(SHOULD NOT BE READABLE! Crack with hashcat -m 1800)

Network info

Interfaces, routes, connections — Find internal networks, pivot targets

ip a
ifconfig
route
arp -a
netstat -tulnp
ss -tulnp
Example Output
ip a
2: eth0: inet 10.10.10.5/24
3: eth1: inet 172.16.1.5/24  <- DUAL HOMED = pivot!

ss -tulnp
127.0.0.1:3306  mysqld  <- internal MySQL
127.0.0.1:8080  python3 <- hidden internal app
0.0.0.0:22      sshd
(Internal services = more attack surface)

Running processes

All running services — Find services running as root

ps auxww
ps -ef
Example Output
ps auxww
root  1234 /usr/sbin/apache2 -k start
root  1235 /usr/bin/mysqld --user=root  <- MySQL as root!
root  1236 /opt/vulnerable_app --config /root/app.conf
root  1237 /usr/bin/python3 /opt/cron_script.py
(Custom apps and root processes are targets)

Installed packages

Installed software — Vulnerable versions

dpkg -l
rpm -qa
Example Output
dpkg -l | grep -i apache
apache2 2.4.29-1ubuntu4.14
(Old version, check for CVEs)

Environment variables

Credentials in env vars — DB passwords, API keys

env
cat /proc/*/environ 2>/dev/null
Example Output
env
DB_PASSWORD=MySQLr00tP@ss
API_KEY=sk-abc123456
SECRET_KEY=SuperSecretKeyHere
(Credentials exposed in environment)