Find recursively a string:
1
2
3
4
5
6
# Find ETSCTF on every file under the current directory
find . -type f -exec grep -H 'ETSCTF' {} \; 2>/dev/null
# Identify any file (not directory) modified in the last day
find / -mtime -l -type f -uid +0 exec ls -al {} \; 2>/dev/null
# Binaries with user SUID
find / -perm -u=s -type f 2>/dev/null
Capabilities
1
getcap -r / 2>/dev/null
Searching writable directories
1
find / -writable -type d 2>/dev/null
SETUID
1
2
3
find / -perm -4000 2>/dev/null
find / -perm -4000 -type f 2>/dev/null `only executables`
find / -perm -u=s -type f 2>/dev/null
Examples: Epsilon
Sudoers
1
cat /etc/sudoers
Find world-writeable files
1
find / -perm -0002 -type d 2>/dev/null
Check current users
1
sudo access sudo -l
Check permissions for files /root directory
1
ls -als /root/*
Check permissions of dot files/directories
1
ls -als /root/.*
Check for access to users’ .ssh directories
1
ls -als /home/*/.ssh
Check readability of apache/nginx access log
1
2
3
cat /var/log/apache/access.log
cat /var/log/apache2/access.log
cat /var/log/nginx/access.log
Search for “user” and “pass” string in Apache Access Log
1
cat /var/log/apache/access.log |grep -E “^user|^pass”
Dump Wireless Pre-Shared
1
cat /etc/NetworkManager/system-connections/* | grep -E "^id|^psk"
Search for “password” string in conf files
1
grep "password" /etc/*.conf 2> /dev/null
PGP Keys
1
cat /home/*/.gnupg/secrings.gpgs
SSH Keys
1
cat /home/*/.ssh/id*
Show any LDAP, Local or NIS Accounts
1
getent passwd
Dump Samba user Database Information
1
2
pdbedit -L -w
pdbedit -L -v
Kerberos Tickets
1
cat /tmp/krb*
Search for files of .txt extension with name “password”
1
find / -name password*.txt 2> /dev/null