whoami # Current user
id # User ID and group memberships
hostname # Machine hostname
uname -a # Kernel and system information
uname -r # Kernel version (useful for kernel exploits)
cat /etc/os-release # OS version information
dpkg -l # Installed packages (Debian/Ubuntu)
Privilege Checks
sudo -l # Check sudo permissions (very common privesc)
sudo --version # Check sudo version for exploits
getcap -r / 2>/dev/null # Check binaries with Linux capabilities
groups # Groups current user belongs to
cat /etc/passwd # List system users
cat /etc/shadow # Password hashes (if readable)
ls -la /home # List user home directories
ls -la ~ # Current user's home directory
cat ~/.bash_history # Command history (may contain passwords)
find /home -name ".bash_history" 2>/dev/null # Find other users' histories
Running Processes
ps aux # Running processes
ps -ef # Alternate process view
File Systems & Mounts
mount # Mounted filesystems
df -h # Disk usage and mounted drives
grep -r "password" /home 2>/dev/null # Search for passwords in home directories
grep -r "pass" /etc 2>/dev/null # Search for credentials in system configs
find / -name "*.conf" 2>/dev/null # Search for configuration files
find / -name "*.log" 2>/dev/null # Search for log files
Network Information
ip a # Network interfaces
ip route # Routing table
arp -a # Local network hosts
netstat -tulnp # Listening services (older systems)
ss -tulnp # Listening services (modern replacement)
for port in {1..65535}; do
(echo > /dev/tcp/127.0.0.1/$port) >/dev/null 2>&1 && echo "Port $port is open"
done
Cronjobs
crontab -l # User cron jobs
ls -la /etc/cron* # System cron directories
cat /etc/crontab # System cron configuration
Tools
./LinPEAS #Enumeration
./LinEnum #Older Enumeration Tool
./pspy #Detects processes executed by other users