Enumeration

/etc/crontab

cat /etc/passwd | grep sh searches /etc/passwd and greps users with baSH

www-data@vicim:/var$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
james:x:1000:1000:victim:/home/james:/bin/bash
debug:x:1001:1001:,,,:/home/debug:/bin/bash

checks for users that can can run as root

sudo -l

Search for SUID binary

find / -perm /4000 2>/dev/null

SGID - (Set Group ID up on execution)

find / -perm /2000 2>/dev/null

find / -type f \( -perm -4000 -o -perm -2000 \) -print

 find / -name [flag.txt](https://flag.txt/) 2>/dev/null find / -name [user.txt](https://user.txt/) 2>/dev/null find / -name .flag 2>/dev/null find / -name flag 2>/dev/null find / -name [root.txt](https://root.txt/) 2>/dev/null
 ```

```bash
grep -RoP "THM{.*?}" .