1 Look Around
More
Interesting dirs
/var/backup
/var/www/classes/
/home/bob/
/export
/var/logs
/tmp
/home/bob/.*history
/backups
/var/mail
/var/tmp
/anythingweird
/.ssh
/reports
/private
Searching Linux
--------------------
--------------------
Linux Version
>> lsb_release -a
--------------------
--------------------
Search for File inside Multiple Directories
> find /home -name .bash_history
/home/victim15/.bash_history
--------------------
--------------------
wildcards
find -name '*db*'
find -name '*.GIF'
find -iname '*.gif'
find -iname \*.gif
--------------------
--------------------
Search for a Keyword inside multiple files:
>> find /home -name .bashrc
>> find /home -name .bashrc -exec grep password {} \;
>> find . -name .bashrc -exec grep -H password {} \; ..show the folder too
Find > cat > grep
>> find . -name .bashrc -exec cat {} \; | grep key
>> find /home/file.txt -exec cat {}\;
--------------------
--------------------
> find . -name .zsh_history
> cat ./victim54/.zsh_history
> find . -name .zsh_history -exec cat {} \; | grep "key"
--------------------
--------------------
Grep a directory for user/pws:
grep -Ri password .
grep -Ri 'mark\|tom\|rastating\|password' * | head
-R: — Dereference-recursive
-i: — Ignore-case
head: — Display first 10 lines
--------------------
--------------------
Unusual Home Directories
> cat /etc/passwd
--------------------
--------------------
Check every profile for history 'passwd'
> find /home -name .bash_history -exec grep -A 1 '^passwd' {} \;
--------------------
--------------------
Search for Secrets in files
strings * grep / ..to find a single /
strings * grep '\\' ..to find a single \
strings * -n 8
strings * -e b
strings * -e l
exiftool * | grep firewall
exiftool * | grep firewall
exiftool * | grep /
exiftool * | grep '\\'
--------------------
--------------------
locate myapp
updatedb ..if my app wasnt in the index yet
find / -name whoami
find / -name ls ..very slow
find / -name ls & ..spawn (jobs bg fg1)
grep root * ..look for word 'root' in my current directory
---------------------------------------
---------------------------------------
Watch bad login attempts:
sudo tail -f /var/log/auth.log
---------------------------------------
---------------------------------------
Search for a string with 32 Digits
grep -e '[^\ ]\{32,\}' -rl /tmp/pacman/gitdir3
---------------------------------------
---------------------------------------
cat .hidden
cat 'spaces in filename'
cat data.txt | grep millionth
more myfile
file myfile
find / -user bandit
find / -user bandit 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -name "pass" -print 2>/dev/null
find / -user bandit -type f -group bandit6 -size 33c -exec ls {} \;
find / -user bandit -group bandit6 -size 33c 2>&1 | grep -F -v Permission
find / -user bandit | grep -v "pass" 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -print 2>/dev/null
find / -user bandit -type f "pass" -print 2>/dev/null
sort data.txt
sort data.txt | uniq -c ..counter
sort data.txt | uniq -u ..unique only
strings data.txt | sort
strings data.txt | grep "=="
Linux Services
find / -name "*httpd*" 2>/dev/null
Example:
/usr/local/sbin/nhttpd
/usr/share/man/man8/nhttpd.8
/var/nostromo/logs/nhttpd.pid
/var/nostromo/logs/.nhttpd.pid.swp
/var/nostromo/conf/nhttpd.conf
json obfuscated
On screen data might be obfuscated, but there are other ways to find it!
http://xyz.libcurl.so/users/1
http://xyz.libcurl.so/users/1.js
http://xyz.libcurl.so/users/1.json
Framework will give you the json verson of the page like this:
>> curl http://xyz.libcurl.so/users/1 -H 'Accept: application/json'
Linux SUID and Privs
Find all the SUID enabled binaries
What files I have Priv to use:
>> find / -perm -u=s 2>/dev/null
>> find / -perm -4000 2>/dev/null
>> find / -user root -perm -4000 -exec ls -ldb {} \;
Network Checks
--------------------
--------------------
netstat -nap ..routing, connections, listening
netstat -alnp | grep LIST ..see what is listening
netstat -nr ..Routing tables
netstat -natu ..Linux
netstat -na ..Windows
lsof -i ..open files
ps -ef ..sometimes password here too
arp -a
ipconfig /displaydns
sudo lsof -Pni | grep ssh
ssh is listening
--------------------
--------------------
victim monitor:
netstat -ano 1 | find ":2222" ..1:update every 1 sec
Linux Unzipping
--------------------
--------------------
file backup.tbz.gz .. to see what 'kind' it is
gunzip backup.tbz.gz
tar -xvjf backup.tbz
cpio -idv --no-absolute-filename < backup ..copies to/from archives
strings backupxyz | more
cat backupxyz
--------------------
--------------------
tar -zxvf data.zip ... gzip
tar -jxvf data.zip ... bzip2
file data.zip ... ASCII
xxd -r data.zip hexdata .. Convert back to hexdata
gzip -d hexdata.gz .. decompress from gzip
file hexdata .. bzip2 compressed data, block size = 900k
mv hexdata hexdata.bz2 .. rename bz
bzip2 -d hexdata.bz2 .. unzipped
file hexdata .. POSIX tar archive (GNU)
tar -xvf hexdata .. data5.bin
file data8 .. ASCII text
cat data8
--------------------
--------------------
unzip data.zip ..fails
7z e data.zip ..7zip works
Admin crons
REF: procmon
crontab -l
anacron
cron.daily
> cd /etc/cron.daily
> ls
Impersonate
su
su victim
Once you find a password for somebody, you can 'su' to their account
And impersonate them
sed tricks
Text Cleanup
Set every comma as a new line
> sed 's/,/\n/g' notes
Last updated