/proc/(PID)/cmdline
This file shows the parameters passed to the kernel at the time it is started. It looks like the following:
1
2
3
4
5
6
7
| ---------------------------------------------------
[*] PATH: /proc/816/cmdline
[*] Total lenght: 181
b'/proc/816/cmdline/proc/816/cmdline/proc/816/cmdline/bin/sh\\x00-c\\x00while true;
do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;";
done\\x00<script>window.close()</script>'
---------------------------------------------------
|
Examples: [[Backdoor#^4e1616]]
/proc/net/fib_trie
This path saves the whole structure of the interfaces, is useful to grab the current IP and also to check if whether or not we are interacting with a docker, and it looks as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| Main:
+-- 0.0.0.0/1 2 0 2
+-- 0.0.0.0/4 2 0 2
|-- 0.0.0.0 /0 universe UNICAST
+-- 10.10.10.0/23 2 0 1
|-- 10.10.10.0
/32 link BROADCAST
/23 link UNICAST
|-- 10.10.11.125
/32 host LOCAL
|-- 10.10.11.255
/32 link BROADCAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/32 link BROADCAST
/8 host LOCAL
|-- 127.0.0.1 /32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
Local:
+-- 0.0.0.0/1 2 0 2
+-- 0.0.0.0/4 2 0 2
|-- 0.0.0.0
/0 universe UNICAST
+-- 10.10.10.0/23 2 0 1
|-- 10.10.10.0
/32 link BROADCAST
/23 link UNICAST
|-- 10.10.11.125
/32 host LOCAL
|-- 10.10.11.255
/32 link BROADCAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/32 link BROADCAST
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
|
Mail Directory
Installed applications
