MOCs
- [[#looking-at-etcpasswd|Looking at
/etc/passwd]]- [[#decoding-etcpasswd|Decoding
/etc/passwd]]
- [[#decoding-etcpasswd|Decoding
- Bash
- Hardlinks
- Debugfs
- Processes Tree
- Network Monitoring
- Finding Hidden Process
- Searching Files
- Who Is Logged In
Hunting Techniques
Looking at /etc/passwd
If use has /bin/bash then has access to the bash shell if user has /no/login the user can’t log in. Example /etc/passwd. When the /etc/passwd is made the higher
root:x:0:0::/root:/bin/bash
nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
Decoding /etc/passwd
username:x:userid:userid info:groupid:homedir:shell
root:x:0:0::/root:/bin/bash
Bash
To hide a bash command change .bashrc to set history size to 0 or put a space ’ ’ in front of your command.
Hardlinks
The hardlink is the number after the permissions for the directory as you can see below we have 3 hardlinks. Hardlinks are like softlinks to some degree but when root the .. will show how many directories are in the next directory up.
drwxr-xr-x 3 root root 4096 Mar 6 09:35 ..
Debugfs
Can get the filesystem from using the command mount
Usage: sudo debugfs <filesystem>
Then you can move around and cd into directories as normal ls / and cd /home this can show files that are hidden from your normal terminal.
Processes Tree
The command pstree will get you a tree of processes running:
systemd─┬─ModemManager───3*[{ModemManager}]
├─NetworkManager───3*[{NetworkManager}]
├─accounts-daemon───3*[{accounts-daemon}]
├─avahi-daemon───avahi-daemon
├─blueman-tray───3*[{blueman-tray}]
├─bluetoothd
├─chrome_crashpad───2*[{chrome_crashpad}]
├─colord───3*[{colord}]
├─crond
├─cupsd
├─dbus-broker-lau───dbus-broker
├─firefox─┬─Isolated Servic───30*[{Isolated Servic}]
│ ├─Isolated Servic───28*[{Isolated Servic}]
│ ├─Isolated Servic───27*[{Isolated Servic}]
│ ├─19*[Isolated Web Co───25*[{Isolated Web Co}]]
│ ├─Isolated Web Co───32*[{Isolated Web Co}]
│ ├─6*[Isolated Web Co───26*[{Isolated Web Co}]]
│ ├─Isolated Web Co───31*[{Isolated Web Co}]
│ ├─2*[Isolated Web Co───30*[{Isolated Web Co}]]
│ ├─Isolated Web Co───27*[{Isolated Web Co}]
│ ├─Privileged Cont───26*[{Privileged Cont}]
│ ├─RDD Process───3*[{RDD Process}]
│ ├─Socket Process───4*[{Socket Process}]
│ ├─Utility Process───3*[{Utility Process}]
│ ├─3*[Web Content───20*[{Web Content}]]
│ ├─WebExtensions───27*[{WebExtensions}]
│ └─229*[{firefox}]
├─geoclue───3*[{geoclue}]
Network Monitoring
Either user ss -tunap or netstat -plunt
Find Where Process is Running
Ways to Find Process
pwdx
pwdx <pid>
lsof
lsof -p <pid> | grep cwd
/proc
Get location of where process is running readlink -e /proc/<pid>/cwd
Get the executable the process is running cat /proc/<pid>/cmdline
In /proc you can locate all process’ running. The files are named the same as the PID of the process running. In those sub directories they contain information about the process that is running.
Finding Hidden Process
use the command unhide checkproc
Searching Files
Search Files based on Time
After Date
Example:
find <dir> -type f -newerct <date> | less
Usage:
find /proc -type f -newerct 2023-03-21 | less
Search Between Dates
Example:
find <dir> -type f -newerct <date-from> ! -newerct <date-t0> | less
Usage:
find /proc -type f -newerct 2023-03-21 ! -newerct 2023-04-21 | less
Newer Than Other File
Example:
find <dir> -type f -newer <file> | less
Usage:
find /etc/ -type f -newer /etc/filename | less
Who Is Logged In
last
w
lastlog
sudo cat /var/log/auth.log