# 'Nix manual enumeration **#Spawning a shell** ``` # On victim python -c 'import pty;pty.spawn("/bin/bash")' Ctrl-z # On attacker echo $TERM # note down stty -a # note down rows and cols stty raw -echo # this may be enough fg # On victim reset export SHELL=bash export TERM=xterm256-color stty rows 38 columns 116 #Alternatives: echo os.system('/bin/bash') /bin/sh -i perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') ``` **#SUID files** ``` find / -perm -1000 -type d 2>/dev/null # Sticky bit find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files #Bash trick for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done ``` \#**Blind Files** ``` #Things to pull when all you can do is blindly read files (LFI/dir traversal) /etc/resolv.conf #Contains the current name servers (DNS) for the system. /etc/issue #current version of distro /etc/passwd #List of local users cat /etc/passwd | grep bash #variant /etc/shadow #long shot but worth a try /.bash_history #Will give you some directory context ``` **#System** ``` uname -a #Prints the kernel version, arch, sometimes distro ps aux #List all running processes top -n 1 -d #Print process, 1 is a number of lines id #Your current username, groups arch, uname -m #Kernel processor architecture w #who is connected, uptime and load avg who -a #uptime, runlevel, tty, processes etc. gcc -v #Returns the version of GCC (for exploit compiling) mysql --version #Returns the version of MySQL. perl -v #Returns the version of Perl. ruby -v #Ruby python --version #Python / also python3 java -version #java df -k #mounted fs, size, % use, dev and mount point mount #mounted fs last -a #Last users logged on lastcomm lastlog getenforce # Get the status of SELinux (Enforcing, Permissive or Disabled) (Command 'getenforce' not found, but can be installed) dmesg #Informations from the last system boot lspci #prints all PCI buses and devices lsusb #prints all USB buses and devices lscpu #prints CPU information lshw #list hardware information cat /proc/cpuinfo cat /proc/meminfo (ABOVE COMMANDS HAVE THE SAME USAGE AS LSCPU AND LSHW ) which nmap #locate a command (ie nmap or nc) locate bin/nmap locate bin/nc #Files modified in the last 5 mins find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null ``` **#Networking** ``` hostname -f ip addr show ip ro show ifconfig -a route -n cat /etc/network/interfaces iptables -L -n -v #root iptables -t nat -L -n -v #root ip6tables -L -n -v #root iptables-save #root netstat -anop netstat -r netstat -nltupw #root with raw sockets arp -a lsof -nPi cat /proc/net/* #more discreet, all the information given by the above commands can be found by looking into the files under /proc/net,and this approach is less likely to trigger monitoring or other stuff ``` **#User accounts** ``` cat /etc/passwd #local accounts cat /etc/shadow #password hashes on Linux cd /etc/security/ #then ls to find password related files,most are root secured /etc/security/passwd #password hashes on AIX cat /etc/group #groups(or /etc/gshadow) getent passwd #should dump all local, LDAP, NIS, whatever the system is using getent group #same for groups pdbedit -L -w #Samba’s own database SAMBA HAS TO BE INSTALLED ON MACHINE TO WORK pdbedit -L -v cat /etc/aliases #mail aliases find /etc -name aliases #needs root privileges getent aliases ypcat passwd #displays NIS password filr ``` **#Obtain user's information** ``` ls -alh /home/*/ ls -alh /home/*/.ssh/ cat /home/*/.ssh/authorized_keys cat /home/*/.ssh/known_hosts cat /home/*/.hist find /home/*/.vnc /home/*/.subversion -type f grep ^ssh /home/*/.hist grep ^telnet /home/*/.hist grep ^mysql /home/*/.hist cat /home/*/.viminfo sudo -l #sudoers crontab -l cat /home/*/.mysql_history sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts) ``` **#Configs** ``` ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/null cat /etc/issue{,.net} cat /etc/master.passwd cat /etc/group cat /etc/hosts cat /etc/crontab cat /etc/sysctl.conf # (Lists all crons) for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done cat /etc/resolv.conf cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.confcda cat /etc/inetd.conf cat /opt/lampp/etc/httpd.conf cat /etc/samba/smb.conf cat /etc/openldap/ldap.conf cat /etc/ldap/ldap.conf cat /etc/exports cat /etc/auto.master cat /etc/auto_master cat /etc/fstab find /etc/sysconfig/ -type f -exec cat {} ; ``` **#Determine Distro** ``` uname -a lsb_release -d # Generic command for all LSB distros /etc/os-release #Generic for distros using “systemd” /etc/issue cat /etc/*release /etc/SUSE-release #Novell SUSE /etc/redhat-release, /etc/redhat_version #Red Hat /etc/fedora-release #Fedora /etc/slackware-release, /etc/slackware-version #Slackware /etc/debian_release, /etc/debian_version #Debian /etc/mandrake-release #Mandrake /etc/sun-release #Sun JDS /etc/release #Solaris/Sparc /etc/gentoo-release #Gentoo /etc/arch-release #Arch Linux (file will be empty) arch ``` **#Installed packages** ``` dpkg -i rpm -qa --last | head yum list | grep installed dpkg -l #Debian dpkg -l | grep -i “linux-image” dpkg --get-selections pkginfo #Solaris cd /var/db/pkg/ && ls -d / #Gentoo pacman -Q #Arch ``` **#Package sources** ``` cat /etc/apt/sources.list ls -l /etc/yum.repos.d/ cat /etc/yum.conf ``` **#Locating important files** ``` ls -dlR */ ls -alR | grep ^d find /var -type d ls -dl `find /var -type d` ls -dl `find /var -type d` | grep -v root find /var ! -user root -type d -ls find /var/log -type f -exec ls -la {} ; find / -user r3dcl1ff -type f -exec ls -al {} \; 2>/dev/null #(find exec files for given user) find / -perm -4000 #find all suid files ls -alhtr /mnt ls -alhtr /media ls -alhtr /tmp ls -alhtr /home cd /home/; treels /home//.ssh/ find /home -type f -iname '.*history' ls -lart /etc/rc.d/ locate tar | grep [.]tar$ #Remember to updatedb before running locate locate tgz | grep [.]tgz$ locate sql | grep [.]sql$ locate settings | grep [.]php$ locate config.inc | grep [.]php$ ls /home/*/id* .properties | grep [.]properties # java config files locate .xml | grep [.]xml # java/.net config files find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids locate rhosts ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/privesc/nix-manual-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.