Enumeration is the first step you have to take once you gain access to any
system. You may have accessed the system by exploiting a critical
vulnerability that resulted in root-level access or just found a way to send
commands using a low privileged account. Penetration testing engagements,
unlike CTF machines, don't end once you gain access to a specific system or
user privilege level.
As you will see, enumeration is as important during
the post-compromise phase as it is before.
hostname
The hostname command will return the hostname of the target machine.
Although this value can easily be changed or have a
relatively
meaningless string (e.g. Ubuntu-3487340239), in some cases, it can provide
information about the target system’s
role within the corporate network
(e.g. SQL-PROD-01 for a production SQL server).
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ hostname
KumarAtulJaiswal
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
uname -a
Will print system information giving us additional detail about the
kernel used by the system. This will be useful when searching for any
potential kernel vulnerabilities that could lead to privilege escalation.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ uname -a
Linux KumarAtulJaiswal 5.18.0-kali2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali1 (2022-06-20) x86_64 GNU/Linux
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
/proc/version
The proc filesystem (procfs) provides information about the target
system processes. You will find proc on many different Linux
flavours,
making it an essential tool to have in your arsenal.
Looking
at /proc/version may give you information on the kernel version and additional
data such as whether a compiler (e.g. GCC)
is installed.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ cat /proc/version
Linux version 5.18.0-kali2-amd64 (devel@kali.org) (gcc-11 (Debian 11.3.0-3) 11.3.0, GNU ld (GNU Binutils for Debian) 2.38) #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali1 (2022-06-20)
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
/etc/issue
Systems can also be identified by looking at the /etc/issue file.
This file usually contains some information about the operating system but can
easily be customized or changes. While on the subject, any file containing
system information can be customized or changed. For a clearer understanding
of the system, it is always good to look at all of these.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ cat /etc/issue
Kali GNU/Linux Rolling \n \l
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
ps Command
The ps command is an effective way to see the running processes on a
Linux system. Typing ps on your terminal will show processes for the current
shell.
The output of the ps (Process Status) will show the
following:
- PID: The process ID (unique to the process)
- TTY: Terminal type used by the user
-
Time: Amount of CPU time used by the process (this is NOT the time this
process has been running for)
-
CMD: The command or executable running (will NOT display any command line
parameter)
The “ps” command provides a few useful options.
- ps -A: View all running processes
-
ps axjf: View process tree (see the tree formation until ps axjf is run
below)
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 167472 9832 ? Ss 11:06 0:02 /sbin/init splash
root 2 0.0 0.0 0 0 ? S 11:06 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 11:06 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< 11:06 0:00 [rcu_par_gp]
root 5 0.0 0.0 0 0 ? I< 11:06 0:00 [netns]
root 7 0.0 0.0 0 0 ? I< 11:06 0:00 [kworker/0:0H-events_highpri]
root 9 0.0 0.0 0 0 ? I< 11:06 0:02 [kworker/0:1H-events_highpri]
root 10 0.0 0.0 0 0 ? I< 11:06 0:00 [mm_percpu_wq]
root 11 0.0 0.0 0 0 ? I 11:06 0:00 [rcu_tasks_kthread]
root 12 0.0 0.0 0 0 ? I 11:06 0:00 [rcu_tasks_rude_kthread]
root 13 0.0 0.0 0 0 ? I 11:06 0:00 [rcu_tasks_trace_kthread]
root 14 0.0 0.0 0 0 ? S 11:06 0:01 [ksoftirqd/0]
root 15 0.1 0.0 0 0 ? I 11:06 0:22 [rcu_preempt]
root 16 0.0 0.0 0 0 ? S 11:06 0:00 [migration/0]
env
The env command will show environmental variables.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ env
COLORFGBG=15;0
COLORTERM=truecolor
COMMAND_NOT_FOUND_INSTALL_PROMPT=1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=lightdm-xsession
DISPLAY=:0.0
DOTNET_CLI_TELEMETRY_OPTOUT=1
GDMSESSION=lightdm-xsession
GDM_LANG=en_IN.utf8
GTK_MODULES=gail:atk-bridge
HOME=/home/hackerboy
LANG=en_IN
LANGUAGE=en_IN:en
LOGNAME=hackerboy
PANEL_GDK_CORE_DEVICE_EVENTS=0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
POWERSHELL_TELEMETRY_OPTOUT=1
POWERSHELL_UPDATECHECK=Off
PWD=/home/hackerboy
QT_ACCESSIBILITY=1
QT_AUTO_SCREEN_SCALE_FACTOR=0
QT_QPA_PLATFORMTHEME=qt5ct
SESSION_MANAGER=local/KumarAtulJaiswal:@/tmp/.ICE-unix/1092,unix/KumarAtulJaiswal:/tmp/.ICE-unix/1092
SHELL=/usr/bin/zsh
SSH_AGENT_PID=1147
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXAg7KOV/agent.1092
TERM=xterm-256color
USER=hackerboy
WINDOWID=0
XAUTHORITY=/home/hackerboy/.Xauthority
XDG_CONFIG_DIRS=/etc/xdg
XDG_CURRENT_DESKTOP=XFCE
XDG_DATA_DIRS=/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share
XDG_GREETER_DATA_DIR=/var/lib/lightdm/data/hackerboy
XDG_MENU_PREFIX=xfce-
XDG_RUNTIME_DIR=/run/user/1000
XDG_SEAT=seat0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
XDG_SESSION_CLASS=user
XDG_SESSION_DESKTOP=lightdm-xsession
XDG_SESSION_ID=3
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SESSION_TYPE=x11
XDG_VTNR=7
_JAVA_OPTIONS=-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
SHLVL=1
OLDPWD=/home/hackerboy
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
LESS_TERMCAP_mb=
LESS_TERMCAP_md=
LESS_TERMCAP_me=
LESS_TERMCAP_so=
LESS_TERMCAP_se=
LESS_TERMCAP_us=
LESS_TERMCAP_ue=
_=/usr/bin/env
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
The PATH variable may have a compiler or a scripting
language (e.g. Python) that could be used to run code on the target system or leveraged for
privilege escalation.
sudo -l
The target system may be configured to allow users to run some (or all)
commands with root privileges. The sudo -l command can be
used to list
all commands your user can run using sudo.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo -l
[sudo] password for hackerboy:
Matching Defaults entries for hackerboy on KumarAtulJaiswal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User hackerboy may run the following commands on KumarAtulJaiswal:
(ALL : ALL) ALL
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
ls
One of the common commands used in Linux is probably ls.
While looking for potential privilege escalation vectors,
please remember to always use the ls command with the -la parameter.
The
example below shows how the “secret.txt” file can easily be missed using the
ls or ls -l commands.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ ls
check.txt id_rsa.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ ls -la
total 24
drwxr-xr-x 2 hackerboy hackerboy 4096 May 11 2022 .
drwxr-xr-x 138 hackerboy hackerboy 12288 Dec 27 14:35 ..
-rwxrwxrwx 1 hackerboy hackerboy 666 Oct 15 2020 check.txt
-rwxrwxrwx 1 hackerboy hackerboy 1674 Oct 15 2020 id_rsa.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$
Id
The id command will provide a general overview of the user’s privilege
level and group memberships.
It is worth remembering that the id command
can also be used to obtain the same information for another user as seen
below.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ id
uid=1000(hackerboy) gid=1000(hackerboy) groups=1000(hackerboy),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(bluetooth),121(wireshark),134(scanner),142(kaboxer)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$
/etc/passwd
Reading the /etc/passwd file can be an easy way to discover users on the
system.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ cat /etc/passwd
root:x:0:1:root:/root:/usr/bin/zsh
daemon:x:1:0:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:0:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
While the output can be long and a bit intimidating, it can easily be cut and
converted to a useful list for brute-force attacks.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ cat /etc/passwd | cut -d ":" -f 1
root
daemon
bin
sys
sync
games
man
lp
Remember that this will return all users, some of which are system or service
users that would not be very useful. Another approach could be to grep for
“home” as real users will most likely have their folders under the “home”
directory.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ cat /etc/passwd | grep home
hackerboy:x:1000:1000:hackerboy,,,:/home/hackerboy:/usr/bin/zsh
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$
history
Looking at earlier commands with the history command can give us some
idea about the target system and, albeit rarely,
have stored information
such as passwords or usernames.
ifconfig
The target system may be a pivoting point to another network. The
ifconfig command will give us information about the network
interfaces of
the system. The example below shows the target system has three interfaces
(eth0, tun0, and tun1). Our attacking
machine can reach the eth0
interface but can not directly access the two other networks.
This can be confirmed using the
ip route command to see which network routes exist.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$ ip route
default via 192.168.13.125 dev usb0 proto dhcp src 192.168.13.51 metric 100
192.168.13.0/24 dev usb0 proto kernel scope link src 192.168.13.51 metric 100
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel]
└─$
netstat
Following an initial check for existing interfaces and network
routes, it is worth looking into existing communications. The
netstat command can be used with several different options to
gather information on existing connections.
-
netstat -a: shows all listening ports and established connections.
-
netstat -at or netstat -au can also be used to list TCP or UDP
protocols respectively.
-
netstat -l: list ports in “listening” mode. These ports are open and
ready to accept incoming connections. This can be used with the “t” option
to list only ports that are listening using the TCP protocol (below).
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
netstat -s: list network usage statistics by protocol (below) This can
also be used with the -t or -u options to limit the output to a specific
protocol.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -s
Ip:
Forwarding: 2
32791 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
32782 incoming packets delivered
29047 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Tcp:
423 active connection openings
0 passive connection openings
2 failed connection attempts
2 connection resets received
10 connections established
21178 segments received
20463 segments sent out
94 segments retransmitted
4 bad segments received
674 resets sent
Udp:
11606 packets received
0 packets to unknown port received
0 packet receive errors
10177 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
TcpExt:
184 TCP sockets finished time wait in fast timer
2 packetes rejected in established connections because of timestamp
213 delayed acks sent
Quick ack mode was activated 33 times
9166 packet headers predicted
1752 acknowledgments not containing data payload received
1803 predicted acknowledgments
TCPSackRecovery: 3
Detected reordering 14 times using SACK
1 congestion windows fully recovered without slow start
TCPDSACKUndo: 2
TCPLostRetransmit: 1
3 fast retransmits
TCPTimeouts: 11
TCPLossProbes: 82
TCPLossProbeRecovery: 10
TCPDSACKOldSent: 33
TCPDSACKOfoSent: 12
TCPDSACKRecv: 45
94 connections reset due to unexpected data
2 connections reset due to early user close
TCPDSACKIgnoredNoUndo: 24
TCPSackShiftFallback: 31
TCPRcvCoalesce: 4786
TCPOFOQueue: 5029
TCPOFOMerge: 12
TCPChallengeACK: 4
TCPSYNChallenge: 4
TCPAutoCorking: 38
TCPSynRetrans: 9
TCPOrigDataSent: 5683
TCPHystartDelayDetect: 1
TCPHystartDelayCwnd: 320
TCPACKSkippedPAWS: 1
TCPKeepAlive: 292
TCPDelivered: 5862
TCPAckCompressed: 1018
TCPDSACKRecvSegs: 45
IpExt:
InOctets: 34605350
OutOctets: 14722497
InNoECTPkts: 32749
InECT0Pkts: 42
MPTcpExt:
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
netstat -tp: list connections with the service name and PID
information.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -tp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.63.167:34046 bom12s20-in-f9.1e:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:50054 server-18-161-111:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:55010 bom12s20-in-f9.1e:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:48406 233.90.160.34.bc.:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:38404 ec2-35-174-127-31:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:43460 104.22.54.228:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:32888 104.22.54.228:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:43446 104.22.54.228:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:44862 ec2-3-225-70-247.:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:38596 bom12s20-in-f9.1e:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:36350 ec2-100-20-114-17:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:57030 201.181.244.35.bc:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:50894 23.58.120.34.bc.g:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:58606 104.22.54.228:https ESTABLISHED 1803/firefox-esr
tcp 0 0 192.168.63.167:34198 ec2-35-174-127-31:https ESTABLISHED 1803/firefox-esr
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
This can also be used with the -l option to list listening ports
(below)
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -ltp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN -
tcp6 0 0 [::]:ssh [::]:* LISTEN -
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
We can see the “PID/Program name” column is empty as this process is
owned by another user.
Below is the same command run with root
privileges and reveals this information as 2641/nc (netcat)
netstat -i: Shows interface statistics. We see below that “eth0”
and “tun0” are more active than “tun1”
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 0 0 0 BMU
lo 65536 4 0 0 0 4 0 0 0 LRU
usb0 1500 36151 0 0 0 38299 0 0 0 BMRU
wlan0 1500 0 0 0 0 0 0 0 0 BMU
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$
The netstat usage you will probably see most often in blog posts, write-ups,
and courses is netstat -ano which could be broken down as follows;
- -a: Display all sockets
- -n: Do not resolve names
- -o: Display timers
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 192.168.63.167:50054 18.161.111.125:443 TIME_WAIT timewait (4.61/0/0)
tcp 0 0 192.168.63.167:55010 142.251.42.41:443 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.63.167:48406 34.160.90.233:443 TIME_WAIT timewait (5.55/0/0)
find Command
Searching the target system for important information and potential
privilege escalation vectors can be fruitful. The built-in “find” command is
useful and worth keeping in your arsenal.
Below are some useful
examples for the “find” command.
Find files:
-
find . -name flag1.txt: find the file named
“flag1.txt” in the current directory
-
find /home -name flag1.txt: find the file names
“flag1.txt” in the /home directory
-
find / -type d -name config: find the directory
named config under “/”
-
find / -type f -perm 0777: find files with the 777
permissions (files readable, writable, and executable by all users)
- find / -perm a=x: find executable files
-
find /home -user frank: find all files for user
“frank” under “/home”
-
find / -mtime 10: find files that were modified in
the last 10 days
-
find / -atime 10: find files that were accessed in
the last 10 day
-
find / -cmin -60: find files changed within the
last hour (60 minutes)
-
find / -amin -60: find files accesses within the
last hour (60 minutes)
-
find / -size 50M: find files with a 50 MB size
This command can also be used with (+) and (-) signs to
specify a file that is larger or smaller than the given size.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ find / -size +100M
/home/hackerboy/Videos/3.mp4
/home/hackerboy/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/libxul.so
/home/hackerboy/Documents/OSCP-machine/Hack_Me_Please.rar
/home/hackerboy/Documents/OSCP-machine/Ubuntu_CTF.ova
/home/hackerboy/Documents/sql/rockyou.txt
/home/hackerboy/Documents/iMaHackerBoY/new/osf.exe
/home/hackerboy/Documents/iMaHackerBoY/new/Hacking-All-books-PDF/Nmap Network Scanning_ The Official Nmap Project Guide to Network Discovery and Security Scanning ( PDFDrive.com ).pdf
find: ‘/proc/3159/ns’: Permission denied
find: ‘/proc/3166/task/3166/fd’: Permission denied
find: ‘/proc/3166/task/3166/fdinfo’: Permission denied
find: ‘/proc/3166/task/3166/ns’: Permission denied
find: ‘/proc/3166/fd’: Permission denied
find: ‘/proc/3166/map_files’: Permission denied
find: ‘/proc/3166/fdinfo’: Permission denied
find: ‘/proc/3166/ns’: Permission denied
find: ‘/proc/3221/task/3221/fd’: Permission denied
find: ‘/proc/3221/task/3221/fdinfo’: Permission denied
find: ‘/proc/3221/task/3221/ns’: Permission denied
find: ‘/proc/3221/fd’: Permission denied
find: ‘/proc/3221/map_files’: Permission denied
find: ‘/proc/3221/fdinfo’: Permission denied
find: ‘/proc/3221/ns’: Permission denied
find: ‘/proc/3222/task/3222/fd’: Permission denied
find: ‘/proc/3222/task/3222/fdinfo’: Permission denied
find: ‘/proc/3222/task/3222/ns’: Permission denied
find: ‘/proc/3222/fd’: Permission denied
find: ‘/proc/3222/map_files’: Permission denied
find: ‘/proc/3222/fdinfo’: Permission denied
find: ‘/proc/3222/ns’: Permission denied
find: ‘/proc/3316/task/3316/fd/5’: No such file or directory
find: ‘/proc/3316/task/3316/fdinfo/5’: No such file or directory
find: ‘/proc/3316/fd/6’: No such file or directory
find: ‘/proc/3316/fdinfo/6’: No such file or directory
find: ‘/.cache’: Permission denied
/usr/share/burpsuite/burpsuite.jar
The example above returns files that are larger than 100 MB. It is important
to note that the “find” command tends to generate errors which sometimes makes
the output hard to read. This is why it would be wise to use the “find”
command with “-type f 2>/dev/null” to redirect errors to “/dev/null”
and have a cleaner output (below).
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ find / -size +100M -type f 2>/dev/null
/home/hackerboy/Videos/3.mp4
/home/hackerboy/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/libxul.so
/home/hackerboy/Documents/OSCP-machine/Hack_Me_Please.rar
/home/hackerboy/Documents/OSCP-machine/Ubuntu_CTF.ova
/home/hackerboy/Documents/sql/rockyou.txt
/home/hackerboy/Documents/iMaHackerBoY/new/osf.exe
/home/hackerboy/Documents/iMaHackerBoY/new/Hacking-All-books-PDF/Nmap Network Scanning_ The Official Nmap Project Guide to Network Discovery and Security Scanning ( PDFDrive.com ).pdf
/home/hackerboy/Documents/iMaHackerBoY/new/kali/Nmap Network Scanning_ The Official Nmap Project Guide to Network Discovery and Security Scanning ( PDFDrive.com ).pdf
/home/hackerboy/Documents/rockyou.txt
/home/hackerboy/Documents/import/rainbow table/winrtgen/md5_alpha-numeric#1-7_0_2400x40000000_oxid#000.rt
/home/hackerboy/Documents/import/cerified website for CEH/Nmap Network Scanning_ The Official Nmap Project Guide to Network Discovery and Security Scanning ( PDFDrive.com ).pdf
Folders and files that can be written to or executed from:
-
find / -writable -type d 2>/dev/null : Find world-writeable folders
-
find / -perm -222 -type d 2>/dev/null: Find
world-writeable folders
-
find / -perm -o w -type d 2>/dev/null: Find
world-writeable folders
The reason we see three different “find” commands that could potentially
lead to the same result can be seen in the manual document. As you can see
below, the perm parameter affects the way “find” works.
-
find / -perm -o x -type d 2>/dev/null : Find
world-executable folders
Find development tools and supported languages:
- find / -name perl*
- find / -name python*
- find / -name gcc*
Find specific file permissions:
Below is a short example used
to find files that have the SUID bit set. The SUID bit allows the file to run
with the privilege level of the account that owns it, rather than the account
which runs it. This allows for an interesting privilege escalation path,we
will see in more details on task 6. The example below is given to complete the
subject on the “find” command.
-
find / -perm -u=s -type f 2>/dev/null: Find
files with the SUID bit, which allows us to run the file with a higher
privilege level than the current user.
General Linux Commands
As we are in the Linux realm, familiarity with Linux commands, in
general, will be very useful. Please spend some time getting comfortable with
commands such as find, locate, grep, cut, sort, etc.
Disclaimer
All tutorials are for informational and educational purposes only and have
been made using our own routers, servers, websites and other vulnerable free
resources. we do not contain any illegal activity. We believe that ethical
hacking, information security and cyber security should be familiar subjects
to anyone using digital information and computers. Hacking Truth is against
misuse of the information and we strongly suggest against it. Please regard
the word hacking as ethical hacking or penetration testing every time this
word is used. We do not promote, encourage, support or excite any illegal
activity or hacking.