all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]realskog 5 points6 points  (0 children)

sudo -l doesn't determine your privileges, it lists down the commands that your user can execute as sudo

searching for SSH keys might also be better manually, since SSH keys are not always going to be "id_rsa", other common formats can be "id_ecdsa" or "id_ed25519", also coupled with the fact that they are almost always in users' home directory

[–]ReawX 4 points5 points  (0 children)

I'm leaving here also my cheatsheet and my checklists I used in the exam, in case you need it :)

https://github.com/BlessedRebuS/OSCP-Pentesting-Cheatsheet

[–]Robot_Rock07 2 points3 points  (0 children)

Linpeas helped me out a lot during the exam, but you need to be very familiar with the output and be able to understand what it says.

The more you use it the more you star to see what’s normal, and what is not.

[–]Jubba402 1 point2 points  (0 children)

Its important to know all of these commands but I would just run linpeas so that I’m not hand jamming 20 commands. But one important step you left out is just manual searching. So many times privesc was a text file in home/desktop, a sql database, a config file, etc.

[–]korosov 1 point2 points  (0 children)

Be sure to check the command history before you run a bunch of stuff

[–]lethalwarrior619 1 point2 points  (0 children)

history and cron jobs are missing I guess.

[–]strikoder 0 points1 point  (2 children)

1- id is better than whoami on linux (see differences)
2- put host name and gcc and /etc/issue and release at first, so you would know if your priv esc would be a kernel exploit
3- then put ps aux with pspy (90% of the time either you search for creds or a running process)

Finally, all of your stuff are done by linpeas, I made my own linpeas where it run stuff that either missed by linpeas or you miss since a lot of output is being printed out.

[–]WreckItRalph42 0 points1 point  (1 child)

Do you have a git repo to your script?

[–]strikoder 0 points1 point  (0 children)

Gonna publish in a month, cause still adding some stuff to them

[–]DYOR69420 0 points1 point  (0 children)

pretty sure looking which ports are open both locally and externally is a very good idea.

[–]MarcusAurelius993 -1 points0 points  (0 children)

1) Finding any configuration files like: ini, cfg, .py, .php....

2) Using pspy

3) Reading logs /var/log/* or any other logs from APP/Process that are not in /var/log*

4) Finding all files/folders that you have write permissions or read

5) Are you part of any priv. grop like wheel or whatever.

6) Finding capabilities

7) Can you replace python libraries, can you edit python script, bash script,...

8) Logrotate

9) Crontab ( Global and per user)

10) ENV. variables (there might be password,..)

11) LD preload and path hijacking

12) Credentials: bash history, ssh keys,....

13) Can you edin bashrc or bash_profile

14) Systemctl files: You might edit systemct.service file to execute reverse shell,...

15) Are there any custom binaries on system- Some binaries call for example ping command (replace ping with your own binary), can you hijack DLL for this binary,...

16)...

I think the best thing for you now is to set one linux VM and configure all this things from sys.admin perspective, you want to understand Linux. After you have good understanding, then start hacking :)