Methodology

The first thing you need to do after gaining a foothold on a machine is to look for reused credentials. You should try every password you have gathered on all users, you never know when you might find an easy escalation to root.

Next, you should hunt down sensitive files and look for stored credentials in configuration and source files of different applications. Naturally, you should also enumerate any local databases you find. Additionally, SSH keys are something to be on the lookout for.

You should also go through the bash history and look for any passwords which were passed as command-line arguments.

You should then move on to looking for exploits. Kernel exploits are really low-hanging fruit, so you should always check the kernel version. Subsequently, proceed by enumerating sudo and the different ways to exploit it, for example via Shell Escape Sequences or LD_PRELOAD.

Following, you should proceed by tracking down any misconfigurations such as excessive capabilities or SUID Binaries. You should check if you have write access to any sensitive files such as /etc/passwd or /etc/shadow, as well as any cron jobs or cron job dependencies.

Ultimately, you should move on to enumerating running software and services which are executed as root and try to find vulnerabilities in them which may allow for privilege escalation.

This can all be summed up into the following:

  1. Credentials

    • Reused Credentials
    • Credentials in Configuration or Source Files
    • Credentials from Databases
    • Credentials in Sensitive Files
    • Credentials from Bash History
    • SSH Keys

  2. Exploitation

    • Kernel Exploits
    • Sudo

  3. Misconfigurations

    • Excessive Capabilities
    • SUID/SGID Binaries
    • Write Access to Sensitive Files
    • Writable Cron Jobs and Cron Job Dependencies

  4. Installed Software

    • Vulnerabilities in Software and Services Running as Root