Linux Post Exploitation

Common Tools

• GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

• LinPEAS - Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix.

• pspy - Monitor linux processes without root permissions

• pamspy - Credentials Dumper for Linux

SUID

Although SUID binaries can be detected using LinPEAS, you can also run the following command to identify SUID files on the system.

find / -perm -u=s -type f 2>/dev/null

swap_digger

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.

git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx

mimipenguin

A tool to dump the login password from the current linux user.

• https://github.com/huntergregal/mimipenguin

Add User as Passwordless Sudo

echo 'asuka    ALL=(ALL) NOPASSWD:ALL' | tee -a /etc/sudoers

Ping Sweep with Bash

• ping-sweep.sh

➜  bash git:(main) bash ping-sweep.sh 192.168.1.1-254
192.168.1.1
192.168.1.4
192.168.1.5
192.168.1.2
192.168.1.7
192.168.1.8
192.168.1.15
192.168.1.30
192.168.1.14
192.168.1.24
192.168.1.12
192.168.1.22

Port Scan with Bash

• port-scan-nc.sh

Port scanning with netcat.

➜  bash git:(main) bash port-scan-nc.sh 192.168.1.1 1-5000
Scanning ports 1 to 5000 on 192.168.1.1...
[192.168.1.1] 21 (ftp) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 80 (http) open
[192.168.1.1] 443 (https) open

• port-scan.sh

Simple TCP port scanning with bash.

➜  bash git:(main) bash port-scan.sh 192.168.1.1 1 5000
Scanning 192.168.1.1 (ports 1 to 5000)
PORT    STATE   SERVICE
21/tcp  open    ftp
53/tcp  open    domain
80/tcp  open    http
443/tcp open    https