Skip to content

Linux Services & Internal Enum

Internals

Network Interfaces

  • ifconfig OR ip a

Hosts

  • /etc/hosts

User's last login

  • lastlog

Logged in Users

  • w OR finger

Command History

  • history OR ~/.bash_history

Finding History Files

  • find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Checking cron jobs

  • ls -la /etc/cron.daily/

Proc filesystem

  • proc/procfs
    • filesystem in linux that contains info about system processes, hardware, other system information.
    • primary way to access process info and can be used to view and modify kernel settings
    • virtual and does not exist as a real fs but is dynamically generated by the kernel.
    • used to look up system information such as the state of running processes, kernel parameters, system memory, and devices. It also sets certain system parameters, such as process priority, scheduling, and memory allocation.
  • find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Services

Installed packages

  • older Linux versions should have vulnerable packages
  • newer versions might have old packages installed and can be vulnerable.
  • List of installed packages and their versions
  • apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

sudo version

  • sudo -V

Binaries

  • sometimes, no packages are installed and are executed directly in the form of binaries by the system.
  • ls -l /bin /usr/bin/ /usr/sbin/

GTFOBins - https://gtfobins.github.io/

  • compare existing system binaries with GTFOBins to see which can be exploited
  • for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

Trace system calls

  • strace ping -c1 10.129.112.20

Configuration Files

  • find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
    • users read almost all config files if admin hasnt changed settings
    • understand how a service is set up to use it for our purposes.
    • sensitive information might be present
    • if the file has read permissions for everyone, we can still read the file even if we do not have permission to read the folder.

Scripts

  • find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
    • admins can neglect internal security.
    • scripts are like config files and can have wrong privileges.
    • discover internal and individual processes

Running services by User

  • ps aux | grep root
    • look at the process list, info about scripts or binaries
    • eg: script created by admin in his path whose rights havent been restricted. we can run it without going into the root dir.