The who, what, when, where, and how of the Linux command line

In penetration testing, especially during privilege escalation, it is essential to gather as much information as possible about the system, the user context, permissions, and available services. The "Who, What, When, Where, How" methodology is a structured approach to this process. Here's a breakdown:

---

Who (ami?)

Identify who you are and understand your system context.

• whoami Displays the current user.

• id Displays the current user's UID, GID, and group memberships.

• uname Prints operating system details. Use uname -a to view full kernel version and architecture. This information is useful for identifying potential kernel exploits.

---

What

Understand your privileges, file contents, permissions, and running processes.

Are you root?

• sudo -l Lists commands the current user is allowed to execute with sudo. Useful for privilege escalation via misconfigured sudo rules.

• id If your UID is 0, you are root. Regular user IDs usually start at 1000.

What is in a file?

• cat <filename> Displays the content of a file.

• strings <filename> Extracts and displays printable characters from binary files or executables.

• head <filename> Displays the first 10 lines of a file.

• tail <filename> Displays the last 10 lines of a file.

What permissions do you have?

• Linux permissions are divided into three groups:

  • Owner

  • Group

  • Others

• Permission types:

  • r – read

  • w – write

  • x – execute

  • A directory will show d at the beginning.

• Example: drwxrwxrwx This is a directory where owner, group, and others all have full read, write, and execute permissions.

What is running?

• ps aux Lists all running processes from all users. Use this to identify running services, scheduled tasks, or processes with potential security issues.

---

When

Identify scheduled or automated executions that may be leveraged for privilege escalation.

• crontab -e Shows the current user's cron jobs (scheduled tasks). These jobs may run scripts with elevated privileges and could be exploitable if misconfigured.

• System-wide cron jobs are typically found in:

  • /etc/crontab

  • /etc/cron.d/

  • /etc/cron.daily/, /hourly/, etc.

---

Where

Locate files, directories, binaries, and keywords across the system.

• ls -al Lists contents of the current directory in long format, including hidden files and permissions.

• pwd Displays the present working directory.

• find / -name <filename> 2>/dev/null Searches for files by name across the entire system, while suppressing permission errors.

• whereis <binary> Locates the binary, source, and man pages for a command.

• apropos <keyword> Searches man pages for the given keyword; useful when unsure of the exact command.

• grep -rnw / -e '<keyword>' 2>/dev/null Recursively searches for a keyword (e.g., password) across files. Useful for locating sensitive information.

---

How

Understanding how actions are performed is crucial for documentation and reporting.

• All steps must be documented during penetration tests and OSCP-style assessments.

• Gaining a shell or escalating privileges is often performed using manual command-line methods.

• Ensure that every exploit, script, and configuration file is logged or noted for reporting and reproducibility.

---

Practical Enumeration Script Example

Here's a basic shell script to perform initial Linux enumeration:

#!/bin/bash

echo "[+] Current User:"
whoami

echo "[+] UID and Group Info:"
id

echo "[+] Kernel and System Info:"
uname -a

echo "[+] Current Working Directory:"
pwd

echo "[+] Home Directory Contents:"
ls -al ~

echo "[+] Running Processes:"
ps aux

echo "[+] Scheduled Cron Jobs:"
cat /etc/crontab 2>/dev/null
ls -al /etc/cron* 2>/dev/null

echo "[+] Sudo Permissions:"
sudo -l 2>/dev/null

echo "[+] Searching for keywords like 'password':"
grep -rnw / -e 'password' 2>/dev/null

echo "[+] Searching for flag.txt:"
find / -name flag.txt 2>/dev/null

⚠️ Always run enumeration commands responsibly and only on systems you are authorized to test.