Lateral Movement
01.1 OS Enumerations
## ------------------| OS details
cat /etc/*-release
cat /proc/version
lsb_release -a
hostnamectl
## ------------------| Domain joined ?
cat /etc/krb5.conf
kinit -k host/$(hostname -f)
realm list | grep active-directory
adcli testjoin
## ------------------| Kernel version
uname -a
uname --kernel-name --kernel-release --machine
## ------------------| SUDO version
sudo -V 2>/dev/null | grep "Sudo ver"
## ------------------| System stats / Disk info
(df -h || lsblk) 2>/dev/null
## ------------------| List all services
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null
## ------------------| Mounted Files
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "/ /|/null | proc proc |/dev/console"
## ------------------| USBCreator ?
busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator
## ------------------| ASLR enabled?
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
## ------------------| Virtual environment ?
systemd-detect-virt
grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor
## ------------------| Search socket files
find / -type s 2>/dev/null
## ------------------| Files with capabilities
getcap -r / 2>/dev/null
## ------------------| Set capabilities for file
sudo setcap cap_net_bind_service=+ep $(readlink -f /usr/bin/python3)
## ------------------| Inside lxc container?
cat /proc/1/environ
## ------------------| Inside docker?
find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null
## ------------------| Enumerate Docker Sockets
find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null
curl -s --unix-socket <socket_path> http://localhost/info
## ------------------| Enumerate on Kubernetes
### Kubernetes namespace
cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null
### Kubernetes token
cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null
### Kubernetes service account folder
ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null 01.2 User Enumerations
01.3 Process Enumeration
01.4 Network Enumeration
Egres Busting Unveiled
IPTables
01.5 Files / Directories Enumerations
Common
SUID/SGID
Find hardcode credentials.
Find with complex
Shared Object Injection
List noexec mounts
PATHEnvironment variable
Read audit files
Recovery file
Decrypt Mozilla Firefox protected passwords
01.6 Software / Package Enumerations
01.7 Active Directory
01.8 Other
Create file with special chars
Change root password through replace
/etc/shadowfile.
Download file.
LUKS mount / unmount (Linux Unified Key Setup)
Is there any
PAM-Wordle?
02. Commands & Scripts
02.1 Commands
Setup Linux machine as router (Forward OpenVpn traffic to windows machine)
Grant to SUID to
dashorvi
Copy file via SSH
02.2 Port Knocking
02.3 Scripts
Create SUID sudo
Process Monitor
List file for sleep 5
Ping sweep
Scan live ports
02.4 Web servers
02.5 Sed Commands
Last updated