/ Linux Privesc, Privilege-Escalation, Uncategorized / By

Post-Compromise Enumeration on Linux

Enumeration is the first step you take once you gain access to any system — and it never stops mattering. Whether you landed root via a juicy RCE or snuck in with a low-privileged shell, you now need to figure out where you are, what you have, and what you can do next.

Unlike CTFs, real-world pentests don’t end at getting a shell. Enumeration during the post-compromise phase is just as critical as during initial recon. Here’s a breakdown of essential Linux commands and techniques to start peeling back the layers of your target.

System Identification

hostname

hostname
# Displays the system hostname

Sometimes meaningless (ubuntu-3894723), sometimes gold (SQL-PROD-01). Hostnames can reveal the system’s role in a network.

uname -a

uname -a
# Kernel and system architecture info

Gives kernel version and architecture — useful for checking kernel exploits for privesc.

/proc/version

cat /proc/version
# Kernel version and GCC/compiler info

Also confirms the presence of a compiler (like GCC) for local exploit compilation.

/etc/issue

cat /etc/issue
# Basic OS identification

Often customized, but worth checking. It may reveal distro/version details.

Process and User Context

ps

ps
# Shows current shell processes

Useful variations:

ps -A
# Show all running processes

ps axjf
# Display process tree

ps aux
# Show user, CPU usage, and more for all processes

Look for suspicious services or something left behind by an admin or another attacker.

id

id
# Current user’s UID, GID, and group membership

You can also check another user:

id root

sudo -l

sudo -l
# List commands the current user can run with sudo

If misconfigured, this is often your direct ticket to root.

env

env
# Show environmental variables

Check for things like $PATH — compilers, interpreters (like Python), or misconfigurations can be leveraged in privesc.

File & Directory Analysis

ls -la

ls -la
# Show all files including hidden ones, with details

Always use -la to avoid missing hidden files like .secret or .ssh.

/etc/passwd

cat /etc/passwd
# List users on the system

You’ll see all accounts, including service/system users. For a cleaner list:

grep '/home' /etc/passwd
# Likely actual user accounts

history

history
# View past commands used on this shell

Might reveal missteps by the user — plaintext creds, IPs, or tool usage.

Networking & Pivot Potential

ifconfig (or ip a)

ifconfig
# Show network interfaces

Identify connected interfaces and pivoting opportunities.

ip route

ip route
# Show routing table

Helps confirm access paths and isolated subnets.

netstat

Some useful flags:

netstat -a
# All connections and listening ports

netstat -at
# TCP only

netstat -au
# UDP only

netstat -l
# Listening ports

netstat -tp
# Show PID and service name for connections (requires root)

netstat -s
# Protocol usage stats

netstat -i
# Interface-level packet stats

netstat -ano
# All sockets, no DNS resolution, show timers

Searching for Privilege Escalation Vectors

find

Some of the most important find command use cases:

find . -name flag1.txt
# Look in current dir

find /home -name flag1.txt
# Look under /home

find / -type d -name config
# Find directories named "config"

find / -type f -perm 0777
# World-readable, writable, executable files

find / -perm a=x
# All executable files

find /home -user frank
# Files owned by user 'frank'

find / -mtime 10
# Modified in last 10 days

find / -amin -60
# Accessed in last 60 minutes

find / -size +100M
# Files larger than 100MB

find / -writable -type d 2>/dev/null
# World-writable directories

find / -perm -o x -type d 2>/dev/null
# World-executable directories

find / -name python*
# Look for Python interpreters

find / -name gcc*
# Look for compilers

Find SUID Files (Privilege Escalation Goldmine)

find / -perm -u=s -type f 2>/dev/null
# Find SUID binaries — often exploitable

Pro Tips

  • Always redirect errors when using find: find / -name '*.conf' 2>/dev/null # Cleaner output without permission errors
  • Tools like grep, cut, awk, sort, uniq, and locate are your best friends during manual enumeration.
  • Combine enumeration with logic — don’t just run everything. Think: “What should I escalate to?” and “What could they have left behind?”

Final Thoughts

Post-compromise enumeration is about turning a foothold into full control. You’re looking for:

  • Misconfigurations
  • Credentials
  • Accessible services
  • Escalation paths

Every command here should become second nature. The faster and more intuitively you can map out a target Linux system, the quicker you can make informed, surgical moves toward root or lateral compromise.

Related Posts

Scroll to Top