Skip to content

Linux Post Exploitation

Local Enumeration

Users and Groups

# Check hostname
hostname 

# Get current user
whoami

# List only user accounts on the system
cat /etc/passwd  | grep  -v /nologin

# Create a lit for brute-force attacks
cat /etc/passwd | cut -d ":" -f 1

# List groups file
cat /etc/group

# List groups
groups

# Get groups/privileges for specific user
groups USER_NAME

# Add bob user to root group
usermod -aG root bob

# List users that logged into the system
last

# Check last logged in
lastlog

# Provide a general overview of the user’s privilege level and group memberships
id

System Information

# List current distribution
cat /etc/*release

# May give information on the kernel version and additional data such as whether a compiler (e.g. GCC) is installed
cat /proc/version

# This file usually contains some information about the operating system but can easily be customized or changed
cat /etc/issue

# List kernel version. This will be useful when searching for any potential kernel vulnerabilities that could lead to privilege escalation.
uname -a

# List only the kernel version
uname -r

# CPU information
lscpu

# Display a list of filesystems
df -h

# Display storage devices
lsblk | grep sd

# Finding all SUID files on the system
find / -type f -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

#Enumerate available shells with elevated privileges
cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done

# List environment variables
env

# List processes. The aux option will show processes for all users (a), display the user that launched the process (u), and show processes that are not attached to a terminal (x).
ps aux

# List all commands your user can run using sudo
sudo -l

Network Information

# Check network config
ifconfig
ip a s
cat /etc/networks

# List network routes
ip route

# Show all listening ports and established connections
netstat -a

# List TCP/UDP only
netstat -at
netstat -au

# List ports in listening mode
netstat -l

# List services currently listening on the system
netstat -antp

# Get cat hostname
cat /etc/hostname

# List possible internal domains
cat /etc/hosts

# Display default gateway
cat /etc/resolv.conf

# Display other systems connected to the network
arp -a

# Find the file named "flag.txt" in the current directory
find . -name flag.txt

# Find the file names "flag.txt" in the /home directory

find /home -name flag.txt

# Find the directory named config under "/"
find / -type d -name config

# Find the file named "FLAG.txt" under "/", case insensitive option
find ./ -iname *flag*

# Find files with the 777 permissions (files readable, writable, and executable by all users)
find / -type f -perm 0777

# Find executable files
find / -perm a=x

# Find all files for user "frank" under /home directory
find /home -user frank

# Find files that were modified in the last 10 days
find / -mtime 10

# Find files that were accessed in the last 10 days
find / -atime 10

# Find files with a 50 MB size. This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.
find files with a 50 MB size

# Find world-writeable folders
find / -writable -type d 2>/dev/null

# Find world-executable folders
find / -perm -o x -type d 2>/dev/null

Cron Jobs Information

# List processes
ps aux

# List of all running processes
top

# List cron jobs
crontab -l

# Display all cron files
ls -al /etc/cron*

# List content of cron files
cat /etc/cron*

Automating Local Enumeration

Popular tools for privilege escalation enumeration: - LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS - LinEnum: https://github.com/rebootuser/LinEnum - LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester - Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration - Linux Priv Checker: https://github.com/linted/linuxprivchecker

It is recommended to store files in the /temp directory.

Meterpreter commands

# Get system info
sysinfo

# Get user ID
getuid

# Network interfaces details
ifconfig

# Current TCP/UDP connections
netstat

# Display routing table
route

Interesting post exploitation modules

post/linux/gather/enum_configs

use post/linux/gather/enum_configs
set SESSION SESSION_ID
run

post/multi/gather/env

use post/multi/gather/env
set SESSION SESSION_ID
run

post/linux/gather/enum_network

use post/linux/gather/enum_network
set SESSION SESSION_ID
run

post/linux/gather/enum_protections

use post/linux/gather/enum_protections
set SESSION SESSION_ID
run

post/linux/gather/enum_system

use post/linux/gather/enum_system
set SESSION SESSION_ID
run

post/linux/gather/checkcontainer

use post/linux/gather/checkcontainer
set SESSION SESSION_ID
run

post/linux/gather/checkvm

use post/linux/gather/checkvm
set SESSION SESSION_ID
run

post/linux/gather/enum_users_history

use post/linux/gather/enum_users_history
set SESSION SESSION_ID
run