Linux Post Exploitation

Post Exploitation on Linux

Common Tools

  • GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

  • LinPEAS - Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix.

  • pspy - Monitor linux processes without root permissions

  • pamspy - Credentials Dumper for Linux

SUID

Although SUID binaries can be detected using LinPEAS, you can also run the following command to identify SUID files on the system.

find / -perm -u=s -type f 2>/dev/null

swap_digger

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.

git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx

mimipenguin

A tool to dump the login password from the current linux user.

Add User as Passwordless Sudo

echo 'asuka    ALL=(ALL) NOPASSWD:ALL' | tee -a /etc/sudoers

Ping Sweep with Bash

sweep.sh

#!/bin/bash

is_alive_ping()
{
  ping -c 1 $1 > /dev/null
  [ $? -eq 0 ] && echo  $i is up.
}

for i in 192.168.1.{1..255} 
do
is_alive_ping $i & disown
done

Port Scan with Bash

port_scan_with_nc.sh

#!/bin/bash

if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <target_host> <start_port>-<end_port>"
    exit 1
fi

target_host=$1
port_range=$2
process_limit=200  # Set the maximum number of parallel processes

# Split start and end port
IFS='-' read -ra ports <<< "$port_range"
start_port="${ports[0]}"
end_port="${ports[1]}"

echo "Scanning ports $start_port to $end_port on $target_host..."

# Function to perform port scan for a single port
perform_scan() {
    local port=$1
    local result
    result=$(nc -zv -w 1 $target_host $port 2>&1)
    if [[ $result == *open* ]]; then
        echo "$result" | grep -Eo "\[[^]]+\] [0-9]+ \(.+\) open"
    fi
}

# Loop through the port range and start background scans
for ((port = start_port; port <= end_port; port++)); do
    perform_scan "$port" &
    
    # Limit the number of parallel processes
    while [[ "$(jobs | wc -l)" -ge "$process_limit" ]]; do
        wait -n
    done
done

# Wait for remaining background processes to finish
wait

port_scan.sh

#!/bin/bash

if [ "$1" == "" ]
then
    echo
    echo This script scans TCP opened ports on IP or hostname
    echo Usage : portscan.sh \<ip-or-hostname\> \[start-port\] \[end-port\]
    echo start-port equals to 1 by default
    echo end-port equals 1024 by default
    echo
    exit
fi

START_PORT=${2:-1}
END_PORT=${3:-1024}
echo "Scanning $1 (ports $START_PORT to $END_PORT)"

PORT_PROTOCOL="tcp"

scan_port(){
    PORT_NUMBER=$1
    PORT_SCAN_RESULT=`2>&1 echo "" > /dev/$PORT_PROTOCOL/$TARGET_NAME_OR_IP/$PORT_NUMBER | grep connect`
    [ "$PORT_SCAN_RESULT" == "" ] && echo $PORT_NUMBER\/$PORT_PROTOCOL'	'open'	'`grep $PORT_NUMBER/$PROTOCOL /etc/services | head -n1 | awk '{print $1}'`
}

TARGET_NAME_OR_IP=$1
echo 'PORT	STATE	SERVICE'

for PORT_NUMBER in `seq $START_PORT $END_PORT`
do
    scan_port $PORT_NUMBER
done

Note: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at yuyudhn@gmail.com.

PreviousMiscNextLinux Password Attack

Last updated