Linux Enumeration – First Steps3 min read

  1. Host Enumeration
  2. Enumeration – First Steps3 min read

So you have been doing reconnaissance, and you have some form of command-line access to a system (choose your prompt flavor). Now you need to figure out what makes this box tick, and what potential avenues you have for Privilege Escalation. The following headings indicate an order of flow, or priority when it comes to enumerating your level of access in an environment.


The id command is used to print the real and effective user and group IDs for the current or specified user.

id command output example


The who command is used to show who is logged into the system.

whoami command output example


The w command displays information about the users currently on the machine, and their processes.

w command output example


The last command looks through the file wtmp (which records all logins/logouts) and prints information about connect times of users.

last command output example

cat /etc/passwd | cut -d: -f1

The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.

example output from catting the /etc/passwd file

grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’

awk -F: ‘($3 == “0”) {print}’ /etc/passwd

cat /etc/sudoers

The /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands.

sudo -l

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.

The -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.

Example output of sudo -l from the Knife HTB machine

Leave a Reply

Your email address will not be published. Required fields are marked *