yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • Common Tools
  • SUID
  • swap_digger
  • mimipenguin
  • Add User as Passwordless Sudo
  • Ping Sweep with Bash
  • Port Scan with Bash

Was this helpful?

  1. Linux

Linux Post Exploitation

Post Exploitation on Linux

Common Tools

  • GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

  • LinPEAS - Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix.

  • pspy - Monitor linux processes without root permissions

  • pamspy - Credentials Dumper for Linux

SUID

Although SUID binaries can be detected using LinPEAS, you can also run the following command to identify SUID files on the system.

find / -perm -u=s -type f 2>/dev/null

swap_digger

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.

git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx

mimipenguin

A tool to dump the login password from the current linux user.

  • https://github.com/huntergregal/mimipenguin

Add User as Passwordless Sudo

echo 'asuka    ALL=(ALL) NOPASSWD:ALL' | tee -a /etc/sudoers

Ping Sweep with Bash

  • ping-sweep.sh

➜  bash git:(main) bash ping-sweep.sh 192.168.1.1-254
192.168.1.1
192.168.1.4
192.168.1.5
192.168.1.2
192.168.1.7
192.168.1.8
192.168.1.15
192.168.1.30
192.168.1.14
192.168.1.24
192.168.1.12
192.168.1.22

Port Scan with Bash

  • port-scan-nc.sh

Port scanning with netcat.

➜  bash git:(main) bash port-scan-nc.sh 192.168.1.1 1-5000
Scanning ports 1 to 5000 on 192.168.1.1...
[192.168.1.1] 21 (ftp) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 80 (http) open
[192.168.1.1] 443 (https) open

  • port-scan.sh

Simple TCP port scanning with bash.

➜  bash git:(main) bash port-scan.sh 192.168.1.1 1 5000
Scanning 192.168.1.1 (ports 1 to 5000)
PORT    STATE   SERVICE
21/tcp  open    ftp
53/tcp  open    domain
80/tcp  open    http
443/tcp open    https

Note: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at yuyudhn@gmail.com.

PreviousMiscNextLinux Password Hunting

Last updated 7 months ago

Was this helpful?

🐧