# 1 Look Around ## More * [WindowsCmdKungFu](/07-win-privesc/windows-cmd-kungfu.md) * [LinuxEnum](/06-linux-privesc/lx-enum.md), [WinEnum](/07-win-privesc/win-enum.md) * [OSINT](/01-prep/01-osint-dorks.md) ## Interesting dirs | | | | | | ----------- | ----------------- | -------------------- | -------- | | /var/backup | /var/www/classes/ | /home/bob/ | /export | | /var/logs | /tmp | /home/bob/.\*history | /backups | | /var/mail | /var/tmp | /anythingweird | /.ssh | | | | /reports | /private | ## Searching Linux ``` -------------------- -------------------- Linux Version >> lsb_release -a -------------------- -------------------- Search for File inside Multiple Directories > find /home -name .bash_history /home/victim15/.bash_history -------------------- -------------------- wildcards find -name '*db*' find -name '*.GIF' find -iname '*.gif' find -iname \*.gif -------------------- -------------------- Search for a Keyword inside multiple files: >> find /home -name .bashrc >> find /home -name .bashrc -exec grep password {} \; >> find . -name .bashrc -exec grep -H password {} \; ..show the folder too Find > cat > grep >> find . -name .bashrc -exec cat {} \; | grep key >> find /home/file.txt -exec cat {}\; -------------------- -------------------- > find . -name .zsh_history > cat ./victim54/.zsh_history > find . -name .zsh_history -exec cat {} \; | grep "key" -------------------- -------------------- Grep a directory for user/pws: grep -Ri password . grep -Ri 'mark\|tom\|rastating\|password' * | head -R: — Dereference-recursive -i: — Ignore-case head: — Display first 10 lines -------------------- -------------------- Unusual Home Directories > cat /etc/passwd -------------------- -------------------- Check every profile for history 'passwd' > find /home -name .bash_history -exec grep -A 1 '^passwd' {} \; -------------------- -------------------- Search for Secrets in files strings * grep / ..to find a single / strings * grep '\\' ..to find a single \ strings * -n 8 strings * -e b strings * -e l exiftool * | grep firewall exiftool * | grep firewall exiftool * | grep / exiftool * | grep '\\' -------------------- -------------------- locate myapp updatedb ..if my app wasnt in the index yet find / -name whoami find / -name ls ..very slow find / -name ls & ..spawn (jobs bg fg1) grep root * ..look for word 'root' in my current directory --------------------------------------- --------------------------------------- Watch bad login attempts: sudo tail -f /var/log/auth.log --------------------------------------- --------------------------------------- Search for a string with 32 Digits grep -e '[^\ ]\{32,\}' -rl /tmp/pacman/gitdir3 --------------------------------------- --------------------------------------- cat .hidden cat 'spaces in filename' cat data.txt | grep millionth more myfile file myfile find / -user bandit find / -user bandit 2>&1 | grep -v "Permission denied" find / -user bandit -type f -name "pass" -print 2>/dev/null find / -user bandit -type f -group bandit6 -size 33c -exec ls {} \; find / -user bandit -group bandit6 -size 33c 2>&1 | grep -F -v Permission find / -user bandit | grep -v "pass" 2>&1 | grep -v "Permission denied" find / -user bandit -type f -print 2>/dev/null find / -user bandit -type f "pass" -print 2>/dev/null sort data.txt sort data.txt | uniq -c ..counter sort data.txt | uniq -u ..unique only strings data.txt | sort strings data.txt | grep "==" ``` ## Linux Services ``` find / -name "*httpd*" 2>/dev/null Example: /usr/local/sbin/nhttpd /usr/share/man/man8/nhttpd.8 /var/nostromo/logs/nhttpd.pid /var/nostromo/logs/.nhttpd.pid.swp /var/nostromo/conf/nhttpd.conf ``` ## json obfuscated * On screen data might be obfuscated, but there are other ways to find it! ``` http://xyz.libcurl.so/users/1 http://xyz.libcurl.so/users/1.js http://xyz.libcurl.so/users/1.json Framework will give you the json verson of the page like this: >> curl http://xyz.libcurl.so/users/1 -H 'Accept: application/json' ``` ## Linux SUID and Privs ``` Find all the SUID enabled binaries What files I have Priv to use: >> find / -perm -u=s 2>/dev/null >> find / -perm -4000 2>/dev/null >> find / -user root -perm -4000 -exec ls -ldb {} \; ``` ## Network Checks ``` -------------------- -------------------- netstat -nap ..routing, connections, listening netstat -alnp | grep LIST ..see what is listening netstat -nr ..Routing tables netstat -natu ..Linux netstat -na ..Windows lsof -i ..open files ps -ef ..sometimes password here too arp -a ipconfig /displaydns sudo lsof -Pni | grep ssh ssh is listening -------------------- -------------------- victim monitor: netstat -ano 1 | find ":2222" ..1:update every 1 sec ``` ## Linux Unzipping ``` -------------------- -------------------- file backup.tbz.gz .. to see what 'kind' it is gunzip backup.tbz.gz tar -xvjf backup.tbz cpio -idv --no-absolute-filename < backup ..copies to/from archives strings backupxyz | more cat backupxyz -------------------- -------------------- tar -zxvf data.zip ... gzip tar -jxvf data.zip ... bzip2 file data.zip ... ASCII xxd -r data.zip hexdata .. Convert back to hexdata gzip -d hexdata.gz .. decompress from gzip file hexdata .. bzip2 compressed data, block size = 900k mv hexdata hexdata.bz2 .. rename bz bzip2 -d hexdata.bz2 .. unzipped file hexdata .. POSIX tar archive (GNU) tar -xvf hexdata .. data5.bin file data8 .. ASCII text cat data8 -------------------- -------------------- unzip data.zip ..fails 7z e data.zip ..7zip works ``` ## Admin crons * REF: [procmon](/06-linux-privesc/02-monitor-files.md#watch-proc-procmon) ``` crontab -l anacron cron.daily > cd /etc/cron.daily > ls ``` ## Impersonate ``` su su victim Once you find a password for somebody, you can 'su' to their account And impersonate them ``` ## sed tricks * Text Cleanup * Set every comma as a new line ``` > sed 's/,/\n/g' notes ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/06-linux-privesc/04-look-around.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.