There are two ways to check OS version:
lsb_release -acat /etc/os-releasePasswords can be changed with the passwd command:
| command | description |
|---|---|
passwd |
changes current user password |
passwd <user> |
changes specified user password |
passwd -d <user> |
allows passwordless logins by deleting user password |
passwd -l <user> |
locks user account and prevents all logins. - Someone could probably write a bash oneliner that disables logins for all users except root and sysadmin |
Password hashes are stored in /etc/shadow
Example entry for a login user:
sysadmin:$y$j9T$BgZdPus8LQnCRO5rSCN0f1$Urv3EDlCMwOpyJ3qYw4aasDCrGi6refPNJU6RhoIYA3:19673:0:99999:7:::
Example entry for a non-login user:
rpc:!*:19450::::::
Vulnerable information leak example:
root:changeme:19761::::::
Users can be shown by reading /etc/passwd
Alternatively, run cat /etc/passwd | cut -d ':' -f 1 to get a list of just usernames.
The /etc/passwd file contains the following format:
username:password:UID:GID:comment:home:shell
Note that the password should either be x or a hash, not an actual password.
Users can be deleted by simply removing the line in /etc/passwd or by running userdel -r <user>
Only login users should have a shell, users without login will have <path>/nologin as the shell. It wouldn't be dumb to check the nologin binary (or attempt user login) to verify that it works as intended.
Note that all users should have a unique ID, and UID 0 IS RESERVED FOR ROOT (no other users should have a uid or gid of 0)
Giving /etc/passwd/, /etc/shadow/, and /etc/group immutability with chattr +i <file> prevents any modification of users or groups (including creating or adding users/groups, and changing passwords).
Groups are located in /etc/group, with the following format:
groupname:password:GID:users
The most important groups are the root and wheel groups, which contain users allowed to run sudo commands.
Sudo allows specific users to execute commands as the root user.
These users are determined in the /etc/sudoers file and all files in the /etc/sudoers.d/ directory.
These files allow users or groups to execute a command, and can even prevent password requirements for certain commands.
Permissions can also be seen with sudo -l
Updates can be done easily based on the OS
Debian-based systems:
sudo apt-get update && sudo apt-get upgrade
Red hat-based systems:
sudo yum check-update
sudo yum upgrade
Fedora:
sudo dnf upgrade
Arch-based systems:
sudo pacman -Syu
Installs are done similarly:
sudo apt-get install <package> #debian
sudo yum install <package> #red hat
sudo pacman -S <package> #arch
Binary files are located in a few directories, usually seen in PATH.
To see the path, run echo $PATH
Here are some common binary locations:
/usr/local/bin
/usr/local/sbin
/usr/bin
/usr/sbin
/bin
/sbin
Directories can be added to PATH with export PATH="<path>:$PATH"
The crontab allows for scheduled tasks.
Running crontab -l shows the current user's crontab entries (located in /var/spool/cron/crontabs).
crontab -r removes the current user's crontab entries.
System crontabs can be seen with ls -la /etc/cron*
The following oneliner displays the crontabs of all users:
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done
Crontabs are executed by the cron daemon (crond), which can be stopped with systemctl mask cron
Crond searches /var/spool/cron, /etc/cron.d/, and /etc/crontab for tasks to run.
The ~/.bashrc file determines how shell sessions will work based on the user.
Command history can be enabled with the following lines in .bashrc:
set -o history
HISTFILE=$HOME/.bash_history
Basically every line in this file is executed from top down at the start of each shell session.
/tmp is a directory of temporary files. All users have read and write access to files in this directory, which is frequently used to store malware.
Files are deleted from here on a reboot.
The env command displays environment variables.
Information might be leaked here, especially in docker containers.
SUID and SGID run an executable with the permissions of the user owner and group owner respectively.
These files can be found with the following commands:
find / -type f -perm -4000 ! -path "/proc/*" -exec ls {} 2</dev/null \; # SUID
find / -type f -perm -2000 ! -path "/proc/*" -exec ls {} 2</dev/null \; # SGID
These binaries can be checked using GTFOBins (make sure you type the binary file before the +suid)
World writable files could possibly be used to store malware or to export data
Find these with the following:
find / -type f -perm -2 ! -path "/proc/*" -exec ls -l {} 2</dev/null \;
Malicious files can be created that look identical to files when using ls or other listings, using the following procedure:
> touch 'index.php'
> touch $'index\u200D.php'
> ls
index.php index.php
> ls -la
total 2
-rw-r--r-- 1 sysadmin sysadmin 0 Feb 23 08:33 index.php
-rw-r--r-- 1 sysadmin sysadmin 0 Feb 23 08:33 index.php
To protect against this, I wrote the following python script:
#!/usr/bin/env python3
import os
def contains_non_printable(file_path):
try:
return any(ord(char) > 127 for char in file_path)
except TypeError:
return False
for root, dirs, files in os.walk('/'):
for file in files:
if contains_non_printable(file):
full_path = os.path.join(root, file)
print(f"Found file with non-printable characters: {full_path}")
There are some special flags that can be placed on files using the chattr command.
These can be listed using lsattr <file>
The i flag prevents any modification or deletion of a file, and is useful for config files, index files, system files that shouldn't be modified, etc.
If you notice that logs aren't being created properly, backups aren't being restored correctly, files aren't being saved, or other weird issues revolving files, make sure you check if the file is immutable using lsattr.