Enumerate All Users:

Check for low hanging fruit:

Weak Passwords:

Look for Interesting files/directories:


If you find that mysql is running as root and you know the uname and pass:

Check for Root level Processes:

ps -aux | grep root

You should be looking for possible local VNC sessions, or localhost processes that could possibly be hijacked. Even processes that generate files (i.e., call some program). remember, there may be a program running periodically without a cron job (Python while loop).

Check for Any Processes with open and listening sockets:

netstat -a | grep -i listen

netstat -ano

Check for Boot Processes:

ls /etc/rc*

After setting a setuid bit on a binary such as bash, in order to retain the setuid privs, you must supply the -p flag:

Setuid Bash -p Flag