add linux-post checklist

linux-post.txt

@@ -0,0 +1,273 @@
+Matt's Pentesting Linux Post-exploitation checklist
+# Most of this credit to:
+# -> https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+# -> https://book.hacktricks.xyz/linux-hardening/privilege-escalation#generic-enumeration-1
+
+----------------------------------------------------------------
+ Basic enumeration
+----------------------------------------------------------------
+User and host:
+  id || whoami
+  pwd
+  hostname
+
+Environment:
+  (env || set) 2>/dev/null
+
+Path:
+  echo $PATH
+
+
+----------------------------------------------------------------
+  Privileges
+----------------------------------------------------------------
+User groups and privileges:
+See: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe)
+
+  groups      # is user member of any interesting groups?
+  sudo -l     # can they sudo?
+
+
+----------------------------------------------------------------
+  Users and groups
+----------------------------------------------------------------
+
+List all users
+  cat /etc/passwd | cut -d: -f1
+
+List all superusers:
+  awk -F: '($3 == "0") {print}' /etc/passwd
+
+Recent logins:
+  last | tail
+
+
+----------------------------------------------------------------
+ Distro & version
+----------------------------------------------------------------
+
+  cat /etc/issue
+  cat /etc/*-release
+
+----------------------------------------------------------------
+  Kernel version
+----------------------------------------------------------------
+  cat /proc/version
+  uname -a
+  uname -mrs
+  rpm -q kernel
+
+----------------------------------------------------------------
+  Running processes
+----------------------------------------------------------------
+(User privileges):
+  ps aux
+  ps -ef
+  top
+  cat /etc/services
+
+(Root privilege):
+  ps aux | grep root
+  ps -ef | grep root
+
+
+----------------------------------------------------------------
+  Network and listening services
+----------------------------------------------------------------
+
+Network configuration: 
+
+  ifconfig -a
+  cat /etc/network/interfaces
+  cat /etc/sysconfig/network
+
+Open connections:
+
+  lsof -i :80
+  netstat -antup
+  netstat -tulpn
+
+Unix sockets:
+  netstat -a -p --unix
+
+Cached IP and MAC addresses:
+  arp -e
+  route
+  /sbin/route -nee
+
+
+
+----------------------------------------------------------------
+  Interesting files and directories
+----------------------------------------------------------------
+Look non-root files in /etc
+  /etc 
+
+World-writeable dirs?
+  /tmp
+  /var/tmp
+  /dev/shm
+
+  /var/log
+  /var/mail
+  /var/spool
+  /var/lib/mysql
+
+Find SQLite files:
+  find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null
+
+
+----------------------------------------------------------------
+ Extended capabilities
+----------------------------------------------------------------
+see: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities
+
+
+Binaries capabilities:
+  getcap -r / 2>/dev/null       # check for any binaries with capabilities
+
+User capabilities:
+  cat /etc/security/capability.conf
+
+----------------------------------------------------------------
+  Mounts
+----------------------------------------------------------------
+  cat /etc/fstab
+  mount
+
+----------------------------------------------------------------
+  Sensitive files
+----------------------------------------------------------------
+
+Sensitive files:
+  cat /etc/passwd
+  cat /etc/group
+  cat /etc/shadow
+  ls -alh /var/mail/
+  ls -alh /etc/profile /etc/profile.d/
+
+Check home dirs:
+  ls -ahlR /root/
+  ls -ahlR /home/
+
+History files:
+  cat ~/.bash_history
+  cat ~/.nano_history
+  cat ~/.atftp_history
+  cat ~/.mysql_history
+  cat ~/.php_history
+
+Sudoers files: (check if writable)
+  ls -l /etc/sudoers /etc/sudoers.d/
+  ls -ld /etc/sudoers.d/
+
+SSH keys:
+
+  cat ~/.ssh/authorized_keys
+  cat ~/.ssh/identity.pub
+  cat ~/.ssh/identity
+  cat ~/.ssh/id_rsa.pub
+  cat ~/.ssh/id_rsa
+  cat ~/.ssh/id_dsa.pub
+  cat ~/.ssh/id_dsa
+  cat /etc/ssh/ssh_config
+  cat /etc/ssh/sshd_config
+  cat /etc/ssh/ssh_host_dsa_key.pub
+  cat /etc/ssh/ssh_host_dsa_key
+  cat /etc/ssh/ssh_host_rsa_key.pub
+  cat /etc/ssh/ssh_host_rsa_key
+  cat /etc/ssh/ssh_host_key.pub
+  cat /etc/ssh/ssh_host_key
+
+
+
+----------------------------------------------------------------
+ Webserver directories
+----------------------------------------------------------------
+Look for hidden files, database configs
+
+  ls -alhR /var/www/
+  ls -alhR /srv/www/htdocs/
+  ls -alhR /usr/local/www/apache22/data/
+  ls -alhR /opt/lampp/htdocs/
+  ls -alhR /var/www/html/
+
+
+----------------------------------------------------------------
+  Logfiles
+----------------------------------------------------------------
+  cat /var/log/auth.log
+  cat /var/log/chttp.log
+  cat /var/log/cups/error_log
+  cat /var/log/dpkg.log
+  cat /var/log/faillog
+  cat /var/log/httpd/access_log
+  cat /var/log/httpd/access.log
+  cat /var/log/messages
+  cat /var/log/secure
+  cat /var/log/syslog
+  cat /var/log/apache2/access_log
+  cat /var/log/apache2/access.log
+  cat /var/log/apache2/error_log
+  cat /var/log/apache2/error.log
+  cat /var/log/apache/access_log
+
+----------------------------------------------------------------
+ Installed applications
+----------------------------------------------------------------
+
+Useful software
+  which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
+
+Get application versions. Check if any are running.
+
+  ls -alh /usr/bin/
+  ls -alh /sbin/
+  dpkg -l
+  rpm -qa
+  ls -alh /var/cache/apt/archivesO
+  ls -alh /var/cache/yum/
+
+Installed languages
+
+  find / -name perl*
+  find / -name python*
+  find / -name gcc*
+  find / -name cc
+
+----------------------------------------------------------------
+ Services
+----------------------------------------------------------------
+
+Service configurations:
+
+  cat /etc/syslog.conf
+  cat /etc/chttp.conf
+  cat /etc/lighttpd.conf
+  cat /etc/cups/cupsd.conf
+  cat /etc/inetd.conf
+  cat /etc/apache2/apache2.conf
+  cat /etc/my.conf
+  cat /etc/httpd/conf/httpd.conf
+  cat /opt/lampp/etc/httpd.conf
+
+Check for writable service files:
+
+  find / -writable -name '*.service' 
+
+----------------------------------------------------------------
+  Cron jobs
+----------------------------------------------------------------
+
+cron:
+  crontab -l
+  ls -al /etc/cron* /etc/at*
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
+
+Invisible cron jobs:
+(This will actually run:)
+
+  #This is a comment inside a cron config file\r* * * * * echo "Surprise!"
+
+Monitor processess as they start up: 
+  https://github.com/DominicBreuker/pspy

readme.md

@@ -7,11 +7,12 @@ Miscellaneous useful notes for pentesting & ethical hacking
 1. [Nmap scans](./nmap.md)
 2. [Breakouts](./breakouts.txt)
 3. [Common](./common.txt)
-4. [Privilege escalation (Linux)](./linux-privesc.txt)
-5. [Privilege escalation (Windows)](./windows-privesc.txt)
-6. [Reverse shells](./revshells.md)
-7. [Transfers](./transfers.txt)
-8. [Powershell commands](./windows-powershell.md)
+4. [Post-exploit checklist (Linux)](./linux-post.txt)
+5. [Privilege escalation (Linux)](./linux-privesc.txt)
+6. [Privilege escalation (Windows)](./windows-privesc.txt)
+7. [Reverse shells](./revshells.md)
+8. [Transfers](./transfers.txt)
+9. [Powershell commands](./windows-powershell.md)
 
 ## Credits