1 Look Around

Interesting dirs

/var/backup

/var/www/classes/

/home/bob/

/export

/var/logs

/tmp

/home/bob/.*history

/backups

/var/mail

/var/tmp

/anythingweird

/.ssh

/reports

/private

Searching Linux

--------------------
--------------------
Linux Version
>> lsb_release -a

--------------------
--------------------
Search for File inside Multiple Directories

> find /home -name .bash_history
/home/victim15/.bash_history

--------------------
--------------------
wildcards

find -name '*db*'
find -name '*.GIF'
find -iname '*.gif'
find -iname \*.gif


--------------------
--------------------
Search for a Keyword inside multiple files:

>> find /home -name .bashrc
>> find /home -name .bashrc -exec grep password {} \;
>> find . -name .bashrc -exec grep -H password {} \;   ..show the folder too

Find > cat > grep
>> find . -name .bashrc -exec cat {} \; | grep key
>> find /home/file.txt -exec cat {}\;


--------------------
--------------------
> find . -name .zsh_history
> cat ./victim54/.zsh_history
> find . -name .zsh_history -exec cat {} \; | grep "key"

--------------------
--------------------
Grep a directory for user/pws:

grep -Ri password .
grep -Ri 'mark\|tom\|rastating\|password' * | head
-R: — Dereference-recursive
-i: — Ignore-case
head: — Display first 10 lines


--------------------
--------------------
Unusual Home Directories
> cat /etc/passwd

--------------------
--------------------
Check every profile for history 'passwd'
> find /home -name .bash_history -exec grep -A 1 '^passwd' {} \;

--------------------
--------------------
Search for Secrets in files

strings * grep /     ..to find a single /
strings * grep '\\'  ..to find a single \
strings * -n 8
strings * -e b
strings * -e l

exiftool * | grep firewall
exiftool * | grep firewall
exiftool * | grep /
exiftool * | grep '\\'


--------------------
--------------------
locate myapp
updatedb  ..if my app wasnt in the index yet
find / -name whoami
find / -name ls    ..very slow
find / -name ls &    ..spawn (jobs bg fg1)
grep root *    ..look for word 'root' in my current directory

---------------------------------------
---------------------------------------
Watch bad login attempts:
sudo tail -f /var/log/auth.log


---------------------------------------
---------------------------------------
Search for a string with 32 Digits

grep -e '[^\ ]\{32,\}' -rl /tmp/pacman/gitdir3


---------------------------------------
---------------------------------------
cat .hidden
cat 'spaces in filename'
cat data.txt | grep millionth
more myfile
file myfile

find / -user bandit
find / -user bandit 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -name "pass" -print 2>/dev/null
find / -user bandit -type f -group bandit6 -size 33c -exec ls {} \;
find / -user bandit -group bandit6 -size 33c 2>&1 | grep -F -v Permission
find / -user bandit | grep -v "pass" 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -print 2>/dev/null
find / -user bandit -type f "pass" -print 2>/dev/null

sort data.txt
sort data.txt | uniq -c  ..counter
sort data.txt | uniq -u  ..unique only

strings data.txt | sort
strings data.txt | grep "=="

Linux Services

find / -name "*httpd*" 2>/dev/null

Example:
/usr/local/sbin/nhttpd
/usr/share/man/man8/nhttpd.8
/var/nostromo/logs/nhttpd.pid
/var/nostromo/logs/.nhttpd.pid.swp
/var/nostromo/conf/nhttpd.conf

json obfuscated

On screen data might be obfuscated, but there are other ways to find it!

http://xyz.libcurl.so/users/1
http://xyz.libcurl.so/users/1.js
http://xyz.libcurl.so/users/1.json

Framework will give you the json verson of the page like this:
>> curl http://xyz.libcurl.so/users/1 -H 'Accept: application/json'

Linux SUID and Privs

Find all the SUID enabled binaries
What files I have Priv to use:

>> find / -perm -u=s 2>/dev/null
>> find / -perm -4000 2>/dev/null
>> find / -user root -perm -4000 -exec ls -ldb {} \;

Network Checks

--------------------
--------------------
netstat -nap                ..routing, connections, listening
netstat -alnp | grep LIST   ..see what is listening
netstat -nr                 ..Routing tables
netstat -natu               ..Linux
netstat -na                 ..Windows

lsof -i        ..open files
ps -ef         ..sometimes password here too
arp -a
ipconfig /displaydns

sudo lsof -Pni | grep ssh
ssh is listening

--------------------
--------------------
victim monitor:
netstat -ano 1 | find ":2222" ..1:update every 1 sec

Linux Unzipping

--------------------
--------------------
file backup.tbz.gz   .. to see what 'kind' it is
gunzip backup.tbz.gz
tar -xvjf backup.tbz
cpio -idv --no-absolute-filename < backup     ..copies to/from archives
strings backupxyz | more
cat backupxyz


--------------------
--------------------
tar -zxvf data.zip ... gzip
tar -jxvf data.zip ... bzip2

file data.zip ... ASCII
xxd -r data.zip hexdata .. Convert back to hexdata
gzip -d hexdata.gz .. decompress from gzip

file hexdata .. bzip2 compressed data, block size = 900k
mv hexdata hexdata.bz2 .. rename bz
bzip2 -d hexdata.bz2 .. unzipped

file hexdata .. POSIX tar archive (GNU)
tar -xvf hexdata .. data5.bin

file data8 .. ASCII text
cat data8

--------------------
--------------------
unzip data.zip    ..fails
7z e data.zip     ..7zip works

Admin crons

REF: procmon

crontab -l
anacron
cron.daily

> cd /etc/cron.daily
> ls

Impersonate

su
su victim
Once you find a password for somebody, you can 'su' to their account
And impersonate them

sed tricks

Text Cleanup
Set every comma as a new line

> sed 's/,/\n/g' notes

Previous06 Linux PrivEsc Next2 Enums

Last updated 2 years ago

Was this helpful?

More

Interesting dirs

Searching Linux

Linux Services

json obfuscated

Linux SUID and Privs

Network Checks

Linux Unzipping

Admin crons

Impersonate

sed tricks