Manuall checks

################ Basic Commands ################

# Check Hidden files
ls -al

# Check command or binary executable as user
sudo -l

# check id
id

# check if kernel version is outdated 
uname -a

# check running process
ps -aux && ps -aux | grep <user>
ps -pf

# check history
history

# Finding files
find / -user root -perm -4000 2>/dev/null -ls

# check network
netstat -alnp
netstat -alnp | grep 127.0.0.1

################ Must check Directory/files ################

# Path / Directory
/var/www/
/var/www/html
/var/www/config
/var/www/backup
/var/www/mysql
/usr/local/bin
/etc/passwd
/opt
/home
/home/user

# Files
.bash_history
.bashrc
config.php
backup.php
mysql.php
secrets
secrets.php
/etc/something.conf

# with extension
,dat
.cnf
.conf
.config
.bak
.backup
.sql
.data

# grep useful things
grep -Ei 'password|pass|pwd|root|database|dbpass|dbuser|db_passwd|db_login|db_user|db_database'

################ Kernel Exploits ################

# DirtyCow > on victim machine download the exploit, after that :
gcc -pthread raw_exploit.c -o exploit -lcrypt