User and Group Enumeration

beginner20 minWriteup

Finding users, groups, and their privileges

Learning Objectives

  • Enumerate users and groups
  • Find sudo privileges
  • Identify interesting user files
  • Check group memberships

Users and groups are the foundation of Linux privilege management. Understanding who's on the system, what groups they belong to, and what they can access reveals privilege escalation paths that technical vulnerabilities might not.

Think of it like studying an org chart. Who has the keys? Who manages what? Sometimes the path to root isn't a vulnerability at all - it's finding out that user "backup" has sudo rights and a weak password.

Groups are Key

Special group memberships (docker, lxd, sudo, disk) often provide direct paths to root. Always check what groups you're in!

Current User Context

bash
1606070;"># Who am I?
2whoami                     606070;"># Just username
3id                         606070;"># Full identity: UID, GID, groups
4 
5606070;"># Example output:
6606070;"># uid=1001(webuser) gid=1001(webuser) groups=1001(webuser),27(sudo),999(docker)
7606070;"># → UID 1001, member of sudo AND docker groups!
8 
9606070;"># What groups am I in?
10groups                     606070;"># Simple list
11id -Gn                     606070;"># Same thing
12 
13606070;"># Effective vs real user (for SUID binaries)
14id -u                      606070;"># Effective UID
15id -ru                     606070;"># Real UID
16 
17606070;"># Environment variables (might leak info)
18env
19printenv
20echo $PATH
21echo $HOME
22echo $SHELL

Docker/LXD = Root

If you're in the docker or lxd group, you can get root immediately. These groups allow container operations that can access the host filesystem as root.

All System Users

bash
1606070;"># All users from passwd
2cat /etc/passwd
3 
4606070;"># Format: username:x:UID:GID:comment:home:shell
5606070;"># root:x:0:0:root:/root:/bin/bash
6606070;"># webuser:x:1001:1001:Web User:/home/webuser:/bin/bash
7606070;"># mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
8 
9606070;"># Filter to find human users (UID >= 1000)
10awk -F: 606070;">#a5d6ff;">'$3 >= 1000 {print $1}' /etc/passwd
11 
12606070;"># Users with actual shell access
13cat /etc/passwd | grep -v 606070;">#a5d6ff;">"nologin\|false" | cut -d: -f1
14 
15606070;"># Just usernames
16cut -d: -f1 /etc/passwd
17 
18606070;"># Quick summary
19getent passwd | wc -l      606070;"># Total users
20grep -c 606070;">#a5d6ff;">"bash\|sh" /etc/passwd  # Users with shell

Interesting Users to Note

1Look for:
2├── root           - The target (UID 0)
3├── Users with bash/sh - Can potentially login
4├── www-data       - Web server user
5├── mysql/postgres - Database users
6├── backup         - May have elevated access
7├── admin/sysadmin - Likely privileged
8├── Custom names   - Company-specific, may be misconfigured
9└── Service accounts - Often have unusual permissions

Groups and Memberships

bash
1606070;"># All groups
2cat /etc/group
3 
4606070;"># Format: groupname:x:GID:members
5606070;"># sudo:x:27:webuser,admin
6606070;"># docker:x:999:webuser
7 
8606070;"># Find group members
9getent group sudo
10getent group docker
11getent group wheel         606070;"># RHEL/CentOS sudo equivalent
12 
13606070;"># Groups for specific user
14groups username
15id username
16 
17606070;"># Find dangerous groups
18getent group | grep -E 606070;">#a5d6ff;">"sudo|wheel|docker|lxd|disk|adm|root"

Dangerous Group Memberships

bash
1606070;"># If you're in these groups, investigate immediately:
2 
3606070;"># sudo/wheel - Can run commands as root
4sudo -l
5 
6606070;"># docker - Full host access via containers
7docker run -v /:/host -it alpine chroot /host /bin/bash
8 
9606070;"># lxd - Same as docker
10lxc init alpine mycontainer -c security.privileged=true
11 
12606070;"># disk - Can read raw disk (extract /etc/shadow)
13debugfs /dev/sda1
14cat /etc/shadow
15 
16606070;"># adm - Can read log files (may contain credentials)
17cat /var/log/auth.log
18 
19606070;"># video - May access framebuffer
20 
21606070;"># shadow - Can read /etc/shadow directly!
22cat /etc/shadow

User Home Directories

bash
1606070;"># List all home directories
2ls -la /home/
3 
4606070;"># Check permissions on each
5for user in $(ls /home); do echo 606070;">#a5d6ff;">"=== $user ==="; ls -la /home/$user/ 2>/dev/null; done
6 
7606070;"># Look for interesting files in other users' homes
8find /home -type f -name 606070;">#a5d6ff;">"*.txt" 2>/dev/null
9find /home -type f -name 606070;">#a5d6ff;">"*.sh" 2>/dev/null
10find /home -type f -name 606070;">#a5d6ff;">"*password*" 2>/dev/null
11find /home -type f -name 606070;">#a5d6ff;">"*secret*" 2>/dev/null
12find /home -type f -name 606070;">#a5d6ff;">"*.key" 2>/dev/null
13find /home -type f -name 606070;">#a5d6ff;">"*.pem" 2>/dev/null
14 
15606070;"># SSH keys (gold mine!)
16find /home -name 606070;">#a5d6ff;">"id_rsa" 2>/dev/null
17find /home -name 606070;">#a5d6ff;">"id_ed25519" 2>/dev/null
18find /home -name 606070;">#a5d6ff;">"authorized_keys" 2>/dev/null
19 
20606070;"># Check readable files
21find /home -readable -type f 2>/dev/null | head -50

SSH Keys are Gold

Finding another user's private SSH key (id_rsa) lets you login as them. Often users can SSH to other machines or even back to root on the same machine!

User Configuration Files

bash
1606070;"># Critical files to check in each user's home
2 
3606070;"># Bash history - commands with credentials
4cat ~/.bash_history
5cat /home/*/.bash_history 2>/dev/null
6606070;"># Look for: mysql -u root -p'password', ssh, scp, curl with creds
7 
8606070;"># Bash config files - may set variables/aliases
9cat ~/.bashrc
10cat ~/.profile
11cat ~/.bash_profile
12 
13606070;"># SSH config
14cat ~/.ssh/config             606070;"># May have usernames, keys, hosts
15cat ~/.ssh/known_hosts        606070;"># What they've connected to
16cat ~/.ssh/authorized_keys    606070;"># Who can login as them
17 
18606070;"># Mail (sometimes has sensitive info)
19cat /var/mail/username
20cat /var/spool/mail/username
21 
22606070;"># Other configs
23cat ~/.gitconfig              606070;"># Git credentials
24cat ~/.netrc                  606070;"># Auto-login credentials
25cat ~/.my.cnf                 606070;"># MySQL credentials
26cat ~/.pgpass                 606070;"># PostgreSQL credentials

Sudo Enumeration

bash
1606070;"># What can current user run as sudo?
2sudo -l
3 
4606070;"># Example outputs:
5 
6606070;"># No sudo access:
7606070;"># Sorry, user webuser may not run sudo on this host.
8 
9606070;"># Full sudo:
10606070;"># User admin may run the following commands:
11606070;">#     (ALL : ALL) ALL
12 
13606070;"># Specific commands:
14606070;"># User backup may run the following commands:
15606070;">#     (root) NOPASSWD: /usr/bin/rsync
16606070;">#     (root) /usr/bin/less /var/log/*
17 
18606070;"># Try to read sudoers (usually fails)
19cat /etc/sudoers 2>/dev/null
20ls -la /etc/sudoers.d/ 2>/dev/null

Sudo Without Password

bash
1606070;"># NOPASSWD entries are the best - no password needed
2sudo -l | grep NOPASSWD
3 
4606070;"># If you see:
5606070;"># (root) NOPASSWD: /usr/bin/vim
6606070;"># You can run vim as root without password!
7 
8606070;"># If no NOPASSWD:
9606070;"># You need the user's password to use sudo
10606070;"># Try password reuse from other discovered creds

Logged In Users

bash
1606070;"># Who's logged in now?
2w                          606070;"># Detailed view
3who                        606070;"># Simple list
4users                      606070;"># Just usernames
5 
6606070;"># Login history
7last                       606070;"># Login records
8last -a                    606070;"># With hostnames
9lastlog                    606070;"># Last login per user
10 
11606070;"># Failed logins (may reveal valid usernames)
12lastb 2>/dev/null          606070;"># Needs root usually
13 
14606070;"># Active sessions
15ps aux | grep 606070;">#a5d6ff;">"pts\|tty"  # Terminal sessions
16 
17606070;"># Screen/tmux sessions
18screen -ls
19tmux ls
20ls -la /tmp/tmux-*
21ls -la /var/run/screen/

Password Information

bash
1606070;"># Password hashes (usually only root can read)
2cat /etc/shadow
3606070;"># If readable: EXTRACT AND CRACK!
4 
5606070;"># Check shadow permissions
6ls -la /etc/shadow
7606070;"># -rw-r----- = Only root and shadow group
8606070;"># -rw-r--r-- = READABLE BY ALL = vulnerable!
9 
10606070;"># Password aging
11chage -l username
12606070;"># Shows when password expires, last change, etc.
13 
14606070;"># PAM configuration (password policies)
15cat /etc/pam.d/common-password
16cat /etc/login.defs          606070;"># UID/GID ranges, password aging

User Enumeration Methodology

Systematic User Enumeration

1
IdentityRun id to see your UID, GID, groups
2
Dangerous GroupsCheck for docker, lxd, sudo, disk
3
SudoRun sudo -l for permissions
4
Other UsersList users, find humans vs services
5
Home DirsCheck for readable files, SSH keys
6
HistoryRead bash_history for credentials
7
ShadowCheck if /etc/shadow is readable

Knowledge Check

Quick Quiz
Question 1 of 3

Why is docker group membership dangerous?

Challenges

User Investigation

Challenge
🌱 beginner

On a practice machine, enumerate all users and groups. Find at least one user with an interesting group membership or sudo permission.

Need a hint? (4 available)

Key Takeaways

  • Check your groups immediately with "id" command
  • docker, lxd, disk groups = direct root access
  • NOPASSWD sudo entries are easy wins
  • SSH private keys allow lateral movement
  • Bash history often contains passwords
  • Readable /etc/shadow is a critical finding