d4rtht3ll3ctus' root vault

Linux Services & Internals Enumeration

2 min read

Internals

Network Interfaces

ip a

Hosts

cat /etc/hosts

User’s Last Login

lastlog

let’s see if anyone else is currently on the system with us. There are a few ways to do this, such as the who command. The finger command will work to display this information on some Linux systems. We can see that the cliff.moore user is logged in to the system with us.

Logged In Users

w

Command History

 
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Cron

ls -la /etc/cron.daily/

The proc filesystem (proc / procfs) is a particular filesystem in Linux that contains information about system processes, hardware, and other system information. It is the primary way to access process information and can be used to view and modify kernel settings.

Proc

 
 find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Services

 To do this, we first need to create a list of installed packages to work with.

Installed Packages

 
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

Sudo Version

sudo -V

Binaries

ls -l /bin /usr/bin/ /usr/sbin/

With the next oneliner, we can compare the existing binaries with the ones from GTFObins to see which binaries we should investigate later.

 
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

We can use the diagnostic tool strace on Linux-based operating systems to track and analyze system calls and signal processing. It allows us to follow the flow of a program and understand how it accesses system resources, processes signals, and receives and sends data from the operating system. In addition, we can also use the tool to monitor security-related activities and identify potential attack vectors, such as specific requests to remote hosts using passwords or tokens.

Configuration Files

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

Scripts

 
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"

Running Services by User

ps aux | grep root

Graph View