The Mindset
- Who am I? — Your current user, privileges, and group memberships.
- Where am I? — The OS, kernel, architecture, and how the system is set up.
- What’s around me? — Users, services, network, files, and misconfigurations.
You cannot escalate privileges without first enumerating the system. If you’re
stuck, you haven’t gathered enough information — step back and dig deeper.
The Enumeration Checklist
At minimum, collect the following before moving on:
| Category | What to Gather |
|---|
| System Info | OS version, kernel version, architecture, patches |
| User Info | Current user, all users, sudo rights, group memberships |
| Network Info | Interfaces, routing tables, active connections |
| Running Services | Active processes, listening ports, scheduled tasks |
| File System | Interesting files, permission issues, mounted drives |
| Installed Software | Applications, versions, potential CVEs |
| Security Mechanisms | Firewall rules, SELinux/AppArmor status |
Who Am I?
whoami — Current Username
The most basic check. Always run this first on any new shell.
id — User Identity & Group Memberships
This is whoami on steroids. It reveals your UID, GID, and every group you belong to.
id
# uid=1000(cry0l1t3) gid=1000(cry0l1t3) groups=1000(cry0l1t3),1337(hackthebox),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)
uid=1000(cry0l1t3)
| |
| +-- username
+-- user ID
gid=1000(cry0l1t3)
| |
| +-- group name (= username by default)
+-- group ID (= UID by default)
groups=1000(cry0l1t3), 27(sudo), 4(adm)
^ ^----------^
primary supplementary
(same as gid) check for privesc
uid — Your numeric user ID. 0 = root. 1000+ = regular user.gid — Your primary group, usually created alongside your user account.groups — Every group you belong to. This is what matters for privilege escalation.
What to look for in the output:
| Group | Why It Matters |
|---|
sudo | Can run commands as root — check sudo -l immediately |
adm | Can read logs in /var/log — a goldmine for credentials and activity |
docker | Can mount the host filesystem — trivial root escalation |
lxd / lxc | Container group — can be abused for root |
disk | Direct disk access — can read any file on the system |
shadow | Can read /etc/shadow — password hashes |
Any non-standard group is worth investigating. Custom groups often grant
access to specific applications or files that weren’t locked down properly.
Where Am I? — System Details
All of the following answer the same question: what exactly is this machine? Run them together as a block.
hostname — Machine Name
Hostnames often reveal the machine’s role (e.g., db-prod-01, web-dev, dc01). This context matters for lateral movement and understanding the environment.
# Full system information
uname -a
# Linux box 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# Kernel release only (best for exploit searching)
uname -r
# 4.15.0-99-generic
uname -a output breakdown:
Linux box 4.15.0-99-generic #100-Ubuntu SMP ... x86_64
| | | | |
Kernel name Hostname Kernel release Kernel version Architecture
Take uname -r output and search it directly: searchsploit linux kernel 4.15.0 or Google "4.15.0-99-generic exploit". An unpatched kernel is often
a direct path to root.
/etc/os-release — OS Name & Version
cat /etc/os-release
# NAME="Ubuntu"
# VERSION="20.04.1 LTS (Focal Fossa)"
# ID=ubuntu
/proc/version — Kernel + Compiler Info
cat /proc/version
# Linux version 4.15.0-99-generic (buildd@lgw01-amd64-003) (gcc version 7.5.0 ...)
lscpu — CPU Architecture
lscpu | grep -E "Architecture|CPU|Thread|Core"
pwd — Current Working Directory
Who Else Is Here?
All Users on the System
# All users with a shell (potential targets for lateral movement)
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1,3,6,7
# Or list home directories
ls /home/
Currently Logged-In Users
who
w # more detailed — shows what each user is doing
last # login history
Sudo Rights
sudo -l
# Check every entry against GTFOBins: https://gtfobins.github.io/
Environment & Path
# Full environment — look for credentials, tokens, and paths
env
# Or printenv
printenv
PATH entries pointing to writable directories (PATH hijacking)AWS_*, DOCKER_*, TOKEN, KEY, SECRET variablesHISTFILE location — command history can contain credentials
Next: Finding Files & Directories — hunting config files, credentials, and interesting artifacts.
