tar (GTFOBins)
Quick-n-dirty command to find all SUID/SGID executables.
find / -type f \
-a \( -perm -u+s -o -perm -g+s \) \
-exec ls -l {} \; 2> /dev/null
Quickly see what shared libraries an executable is trying to load:
strace $EXECUTABLE 2>&1 | grep open
If there are missing libraries in paths that we’re able to access, then code similar to the LD_PRELOAD trick can be used to inject malicious code
Running strings
on a binary can also give us a sense of what helper applications might be getting executed.
There are lots of wacky things you can do with Bash.
Files created on NFS shares inherit the remote UID. By default, NFS enables “root squashing”, which maps UID 0 to the nobody
user.
Root squashing can be disabled in /etc/exports with the no_root_squash
flag.
Unrelatedly, msfvenom can be used to generate executables that immediately shell out, similar to the LD_PRELOAD trick.
LinEnum is very fast, but LSE and LinPEAS produce more intelligible output.