Know your Enemy

hostname

uname -a

cat /proc/version

cat /etc/issue

lscpu

for arch cpu core threads

what kernel what arch forexploitation

User Enum

whoami

id

sudo -l

history

cat /etc/passwd | grep sh

cat /etc/shadow

cat /etc/group

sudo su -

Network Info

ifconfig

ip a

route

ip route

arp -a

ip neigh

netstat -ona

look for loopback ports and existing open connections

netstat -antup

Look for password key word in files through out the system

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2>/dev/null

File Perms and Stored Passwords

look for excessive perms ; can we modify something access something read something write somethings replace something

ls -la /etc/passwd /etc/shadow

normally read perms to passwd files are there and no access to shadow file

both have potential to escalate privs

if passwd file editable then remove the password holder :x: and su into root without password

if shadow is readable ; crack the hashed password

if writeable add new custom user there with custom hashed password

history

cat ~/.bash_history | grep pass

cat ~/.bash_history

find . type f -exec grep -i I "PASSWORD" {} /dev/null \;

grep

copy password findings commands from payload all the things to here