System Information

Admin Pentest

Basic System Info

uname -a
Displays all system information - kernel version, architecture, hostname
kernel architecture
cat /etc/issue
Shows distribution name and version - login banner information
distribution version
cat /etc/*release*
Displays detailed distribution release information - more comprehensive than /etc/issue
distribution release
hostname
Shows the system's hostname
hostname
hostnamectl
Systemd command for hostname control and information - shows additional system details
systemd hostname

Environment & Kernel

env
Lists all environment variables - contains sensitive data like API keys, paths, and configurations
environment variables sensitive
printenv
Alternative to env for printing environment variables
environment variables
echo $PATH
Displays PATH variable - useful for privilege escalation via path hijacking attacks
PATH privilege-escalation

Hardware Enumeration

Admin

CPU & Memory

lscpu
Detailed CPU architecture information - shows CPU model, cores, architecture, and more
cpu architecture
lsmem
Memory information and statistics - shows memory blocks and availability
memory ram
free -h
Memory usage in human readable format - shows total, used, and free memory
memory monitoring

Devices & Peripherals

lspci
List all PCI devices with details - shows graphics cards, network adapters, etc.
pci devices
lsusb
List USB devices and buses - shows connected USB devices
usb devices

User & Group Enumeration

Pentest CTF

Current User Info

id
Shows current user's UID, GID, and group memberships - essential for understanding privileges
user privileges uid
sudo -l
Lists commands current user can run with sudo - common privilege escalation vector
sudo privilege-escalation critical

All Users

cat /etc/passwd
Lists all users on the system - with their home directories and default shells
users system
getent passwd
Alternative method using getent database - works with various name services
users database
ls -la /home/
Shows home directories and their permissions - useful for finding readable directories
home directories permissions

Network Information

Pentest Admin

Network Configuration

ifconfig
Displays network interfaces, IP addresses, and MAC addresses - traditional command
network interfaces ip
ip addr
Modern alternative to ifconfig with more details - preferred on newer systems
network modern ip
netstat -tulpn
Shows listening ports and associated processes - TCP/UDP connections
ports listening processes

DNS & Routing

cat /etc/resolv.conf
Displays DNS servers configured for the system
dns configuration
cat /etc/hosts
Shows local hostname to IP mappings - can be hijacked for redirection attacks
hosts dns hijacking
netstat -rn
Shows routing table - useful for network mapping and understanding network topology
routing network

File System Enumeration

CTF Pentest

Special Permission Files

find / -perm -u=s -type f 2>/dev/null
Finds SUID binaries - common privilege escalation vector (runs as owner)
suid privilege-escalation critical
find / -perm -g=s -type f 2>/dev/null
Finds SGID binaries - less common but similar to SUID (runs as group)
sgid privilege-escalation
find / -perm -o+w -type f 2>/dev/null
Finds world-writable files - potential for modification by any user
writable permissions
getcap -r / 2>/dev/null
Finds files with Linux capabilities - alternative to SUID for privilege escalation
capabilities privilege-escalation

Mount Points & Disks

mount
Shows mounted filesystems and their permissions
mount filesystem
df -h
Shows disk usage in human readable format
disk storage

Credentials & Secrets

Pentest CTF

SSH Keys

find / -name "id_rsa" -o -name "id_dsa" -o -name "*.pem" 2>/dev/null
Searches for SSH private keys - common credential storage locations
ssh keys credentials
ls -la ~/.ssh/
Checks SSH directory for authorized keys and known hosts
ssh directory

Configuration Files

find / -name "*.conf" -o -name "*.cfg" | xargs grep -i "pass\|pwd" 2>/dev/null
Searches configuration files for password strings - finds hardcoded credentials
config passwords credentials
history
Displays command history - may contain passwords or sensitive operations
history sensitive

Quick Wins & Common Findings

These are the most common privilege escalation vectors and quick checks:

sudo -l
Always check sudo permissions first - this is the most common privilege escalation path.
find / -perm -4000 2>/dev/null
SUID binaries are the second most common privilege escalation vector.
cat /etc/crontab
Cron jobs running as root that you can influence are a common vector.
getcap -r / 2>/dev/null
Capabilities are becoming more common than SUID in modern systems.

Essential One-Liners

CTF Pentest

Quick Enumeration

echo "=== SYSTEM ==="; uname -a; echo "=== USERS ==="; cat /etc/passwd; echo "=== SUDO ==="; sudo -l; echo "=== PROCESSES ==="; ps aux; echo "=== NETWORK ==="; ifconfig; netstat -tulpn
Basic enumeration one-liner - quick assessment of system state
for i in $(ls /home/); do echo "=== $i ==="; sudo -l -U $i; done 2>/dev/null
Check sudo privileges for all users - finds users with sudo access
find / -type f -name "*.txt" -o -name "*.conf" -o -name "*.sh" -o -name "*.py" 2>/dev/null | head -50
Find interesting files quickly - common file types that may contain useful information

Pro Tips

2>/dev/null
Append this to commands to suppress permission denied errors and clean up output

Professional Tips

Remember: Always ensure you have proper authorization before running enumeration commands on systems you don't own. This cheatsheet is for educational purposes and authorized penetration testing only.

Methodology: Start with automated tools (LinPEAS/LinEnum), then manually verify findings. Always document your process and findings.