# Know your Enemy

hostname 

uname -a 

cat /proc/version

cat /etc/issue

lscpu 

for arch cpu core threads 

what kernel what arch forexploitation 

User Enum 

whoami

id

sudo -l

history 

cat /etc/passwd | grep sh

cat /etc/shadow

cat /etc/group

sudo su -

Network Info

ifconfig 

ip a

route 

ip route

arp -a

ip neigh

netstat -ona

look for loopback ports and existing open connections

netstat -antup

Look for password key word in files through out the system 

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2>/dev/null

File Perms and Stored Passwords 

look for excessive perms ; can we modify something access something read something write somethings replace something 

ls -la  /etc/passwd /etc/shadow

normally read perms to passwd files are there and no access to shadow file 

both have potential to escalate  privs 

if passwd file editable then remove the password  holder :x: and su into root without password 

if shadow is readable ; crack the hashed password 

if writeable add new custom user there with custom hashed password 

history 

cat \~/.bash\_history | grep pass

cat \~/.bash\_history 

find . type f -exec grep -i I "PASSWORD" {} /dev/null \\;

grep 

copy password findings commands  from payload all the things to here