Got a shell, now what?

Hello there, i am studying IT security at the university and among my classmates hackthebox became quite trendy. For the first time, i managed to get past recon and got a shell. As i am collecting a record of good practices and commands to run while pentesting, my question is:
what do you look for, what steps you plan, what commands you surely run/try to run once you got a shell but no passwords?
this is a list of what i currently have:

kernel version (uname -a)
sudo -l (sudo less -->!/bin/bash) (sudo find /var/log -exec -/bin/bash -i \;)
ifconfig -a netstat -antup
lsof -i
find / -perm -u=s -type f 2>/dev/null

As you might have already figured out, i got some info by running those commands but nothing that led me to the path to user's pw.

Thanks in advance


  • There are literally dozens of privesc guides and scripts out there man.
  • edited November 2019
    For a better picture Google and run these tools for general enumeration and finding misconfigurations or exploits:
    LinEnum, linux-smart-enumeration,

    You can enum cronjobs using the tool pspy

    Check the kernel version and Google for exploits, check webserver's configuration files for creds or ssh keys, the bash_history files for leftover data and in general what looks out of place or interesting!
  • sudo -l
    then i run the scripts mentioned by dachef
    pay attention to suid files
    check the weird ones on gtfobins
    pspy to see what crons run and get a general idea if there is a way to root from there.

    Generally from what i have seen so far the easy and medium linux machines are a mix of service misconfiguration, loose perms on executables, config files and folders, left-over keys or plain text creds in normal and backup files as well as sudo permisions on various executables.

    Resources you could use:
    IppSec youtube channel

    The hard linux machines (at least the 3 of them that i have done so far) are of the same mindset but require way more enumeration and 'back and forth' to gather more information. Also their exploitation techniques are usually more a bit more advanced.

  • Thank you for the answers. I've spent some time testing out your resources/advice and made some progresses. Could feel overwhelming to dig through docs but thank you again for helping me going forward

Sign In to comment.