Enumeration for privilege escalation after getting a shell

I have experienced many instances where I got a low priv shell (sometimes user.txt also) and not able to escalate privileges. Usually I run linpeas, check for sudo rights and do the other basic stuff. But when the way to move forward is to find a credential in some file inside several directories or some binary which is stored somewhere and can be exploited, these situations require thorough manual enumeration. In such cases I completely miss the thing required to move forward.

I just get the feeling that there are hundreds of files and folders to look into and I don’t even know what I’m looking for. Where should I start looking, where should stop and what are the things which are useless to look into? Aaaaaannnd I’m stuck!! ?

What is the correct way of doing manual enumeration (if there is any such way) or how do you people approach after getting a low priv shell?

@gs4l said:

I have experienced many instances where I got a low priv shell (sometimes user.txt also) and not able to escalate privileges. Usually I run linpeas, check for sudo rights and do the other basic stuff. But when the way to move forward is to find a credential in some file inside several directories or some binary which is stored somewhere and can be exploited, these situations require thorough manual enumeration. In such cases I completely miss the thing required to move forward.

I just get the feeling that there are hundreds of files and folders to look into and I don’t even know what I’m looking for. Where should I start looking, where should stop and what are the things which are useless to look into? Aaaaaannnd I’m stuck!! ?

What is the correct way of doing manual enumeration (if there is any such way) or how do you people approach after getting a low priv shell?

There isn’t a “correct” way of doing enumeration. If there was a single path, linpeas/winpeas would work every time.

The challenge is that it is largely down to building the “hacker” mindset and I find it helps if you think of some key things you want to look for, look for them and see if it works. If not, don’t lose any sleep over it, just try something else. If you try all the things at once, you will go mad.

For example, I tend to work through - but its in no real order

  • look at files and folders where you have landed - on CTFs, half the time everything you need is in a hidden file where you got your foothold or near by.
  • check user accounts (eg cat (password file gets blocked by HTB WAF) | grep -v nologin) to see who can be targeted.
  • check log files and audit files
  • check sudoers
  • search for binaries with the SUID bit set
  • search for files owned by the user account you have
  • search for files related to groups you could exploit
  • look for configuration files related to running services
  • look for unusual files in the opt, tmp etc folders
  • look for files modified on a specific date based on when the box was likely set up.

Etc. It really is a case of trying things until something works.

The reality is on CTFs, the box creators know all of this so try to make it interesting by either putting things in places we can find them, or finding new places to hide things.

same here, i just spent a day on bucket pe, even though this box is so lean so around a theme so free of noises
being unfamiliar with little technical difficulties here and there add to the friction of getting root, i kinda went blank and forgot what i was focusing on and made a lot of mistakes :confused: