Linux Abusing Directory Structure
Post

Linux Abusing Directory Structure

/proc/(PID)/cmdline

This file shows the parameters passed to the kernel at the time it is started. It looks like the following:

1
2
3
4
5
6
7
---------------------------------------------------
[*] PATH: /proc/816/cmdline
[*] Total lenght: 181
b'/proc/816/cmdline/proc/816/cmdline/proc/816/cmdline/bin/sh\\x00-c\\x00while true;
do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;";
done\\x00<script>window.close()</script>'
---------------------------------------------------

Examples: [[Backdoor#^4e1616]]

/proc/net/fib_trie

This path saves the whole structure of the interfaces, is useful to grab the current IP and also to check if whether or not we are interacting with a docker, and it looks as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Main: 
	+-- 0.0.0.0/1 2 0 2 
		+-- 0.0.0.0/4 2 0 2 
			|-- 0.0.0.0 /0 universe UNICAST 
			+-- 10.10.10.0/23 2 0 1 
				|-- 10.10.10.0 
					/32 link BROADCAST 
					/23 link UNICAST 
				|-- 10.10.11.125 
					/32 host LOCAL 
				|-- 10.10.11.255 
					/32 link BROADCAST 
		+-- 127.0.0.0/8 2 0 2 
			+-- 127.0.0.0/31 1 0 0 
				|-- 127.0.0.0 
					/32 link BROADCAST 
					/8 host LOCAL 
				|-- 127.0.0.1 /32 host LOCAL 
				|-- 127.255.255.255 
					/32 link BROADCAST 
Local: 
	+-- 0.0.0.0/1 2 0 2 
		+-- 0.0.0.0/4 2 0 2 
			|-- 0.0.0.0 
				/0 universe UNICAST 
			+-- 10.10.10.0/23 2 0 1 
				|-- 10.10.10.0 
					/32 link BROADCAST 
					/23 link UNICAST 
				|-- 10.10.11.125 
					/32 host LOCAL 
				|-- 10.10.11.255 
					/32 link BROADCAST 
		+-- 127.0.0.0/8 2 0 2 
			+-- 127.0.0.0/31 1 0 0 
				|-- 127.0.0.0 
					/32 link BROADCAST 
					/8 host LOCAL 
				|-- 127.0.0.1 
					/32 host LOCAL 
			|-- 127.255.255.255 
				/32 link BROADCAST
Mail Directory
1
/var/mail/
Installed applications
1
2
/usr/bin/
/usr/sbin