This task focuses on enumerating a Linux machine after accessing a shell, such as bash. Although some commands provide information on more than one area, we tried to group the commands into four categories depending on the information we expect to acquire.
- System
- Users
- Networking
- Running Services
We recommend that you click โStart AttackBoxโ and โStart Machineโ so that you can experiment and answer the questions at the end of this task.
System
On a Linux system, we can get more information about the Linux distribution and release version by searching for files or links that end with -release in /etc/. Running ls /etc/*-release helps us find such files. Letโs see what things look like on a CentOS Linux.
user@TryHackMe$ ls /etc/*-release
/etc/centos-release /etc/os-release /etc/redhat-release /etc/system-release
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
[...]Letโs try on a Fedora system.
user@TryHackMe$ ls /etc/*-release
/etc/fedora-release@ /etc/os-release@ /etc/redhat-release@ /etc/system-release@
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="36 (Workstation Edition)"
[...]We can find the systemโs name using the command hostname.
user@TryHackMe$ hostname
rpm-red-enum.thmVarious files on a system can provide plenty of useful information. In particular, consider the following /etc/passwd, /etc/group, and /etc/shadow. Any user can read the files passwd and group. However, the shadow password file requires root privileges as it contains the hashed passwords. If you manage to break the hashes, you will know the userโs original password.
user@TryHackMe$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
michael:x:1001:1001::/home/michael:/bin/bash
peter:x:1002:1002::/home/peter:/bin/bash
jane:x:1003:1003::/home/jane:/bin/bash
randa:x:1004:1004::/home/randa:/bin/bash
$ cat /etc/group
root:x:0:
[...]
michael:x:1001:
peter:x:1002:
jane:x:1003:
randa:x:1004:
$ sudo cat /etc/shadow
root:$6$pZlRFi09$qqgNBS.00qtcUF9x0yHetjJbXsw0PAwQabpCilmAB47ye3OzmmJVfV6DxBYyUoWBHtTXPU0kQEVUQfPtZPO3C.:19131:0:99999:7:::
[...]
michael:$6$GADCGz6m$g.ROJGcSX/910DEipiPjU6clo6Z6/uBZ9Fvg3IaqsVnMA.UZtebTgGHpRU4NZFXTffjKPvOAgPKbtb2nQrVU70:19130:0:99999:7:::
peter:$6$RN4fdNxf$wvgzdlrIVYBJjKe3s2eqlIQhvMrtwAWBsjuxL5xMVaIw4nL9pCshJlrMu2iyj/NAryBmItFbhYAVznqRcFWIz1:19130:0:99999:7:::
jane:$6$Ees6f7QM$TL8D8yFXVXtIOY9sKjMqJ7BoHK1EHEeqM5dojTaqO52V6CPiGq2W6XjljOGx/08rSo4QXsBtLUC3PmewpeZ/Q0:19130:0:99999:7:::
randa:$6$dYsVoPyy$WR43vaETwoWooZvR03AZGPPKxjrGQ4jTb0uAHDy2GqGEOZyXvrQNH10tGlLIHac7EZGV8hSIfuXP0SnwVmnZn0:19130:0:99999:7:::Similarly, various directories can reveal information about users and might contain sensitive files; one is the mail directories found at /var/mail/.
user@TryHackMe$ ls -lh /var/mail/
total 4.0K
-rw-rw----. 1 jane mail 0 May 18 14:15 jane
-rw-rw----. 1 michael mail 0 May 18 14:13 michael
-rw-rw----. 1 peter mail 0 May 18 14:14 peter
-rw-rw----. 1 randa mail 0 May 18 14:15 randa
-rw-------. 1 root mail 639 May 19 07:37 rootTo find the installed applications you can consider listing the files in /usr/bin/ and /sbin/:
ls -lh /usr/bin/ls -lh /sbin/
On an RPM-based Linux system, you can get a list of all installed packages using rpm -qa. The -qa indicates that we want to query all packages.
On a Debian-based Linux system, you can get the list of installed packages using dpkg -l. The output below is obtained from an Ubuntu server.
user@TryHackMe$ dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================-==================================-============-===============================================================================
ii accountsservice 0.6.55-0ubuntu12~20.04.5 amd64 query and manipulate user account information
ii adduser 3.118ubuntu2 all add and remove users and groups
ii alsa-topology-conf 1.2.2-1 all ALSA topology configuration files
ii alsa-ucm-conf 1.2.2-1ubuntu0.13 all ALSA Use Case Manager configuration files
ii amd64-microcode 3.20191218.1ubuntu1 amd64 Processor microcode firmware for AMD CPUs
[... ]
ii zlib1g-dev:amd64 1:1.2.11.dfsg-2ubuntu1.3 amd64 compression library - developmentUsers
Files such as /etc/passwd reveal the usernames; however, various commands can provide more information and insights about other users on the system and their whereabouts.
You can show who is logged in using who.
user@TryHackMe$ who
root tty1 2022-05-18 13:24
jane pts/0 2022-05-19 07:17 (10.20.30.105)
peter pts/1 2022-05-19 07:13 (10.20.30.113)We can see that the user root is logged in to the system directly, while the users jane and peter are connected over the network, and we can see their IP addresses.
Note that who should not be confused with whoami which prints your effective user id.
user@TryHackMe$ whoami
janeTo take things to the next level, you can use w, which shows who is logged in and what they are doing. Based on the terminal output below, peter is editing notes.txt and jane is the one running w in this example.
user@TryHackMe$ w
07:18:43 up 18:05, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 Wed13 17:52m 0.00s 0.00s less -s
jane pts/0 10.20.30.105 07:17 3.00s 0.01s 0.00s w
peter pts/1 10.20.30.113 07:13 5:23 0.00s 0.00s vi notes.txtTo print the real and effective user and group IDS, you can issue the command id (for ID).
user@TryHackMe$ id
uid=1003(jane) gid=1003(jane) groups=1003(jane) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Do you want to know who has been using the system recently? last displays a listing of the last logged-in users; moreover, we can see who logged out and how much they stayed connected. In the output below, the user randa remained logged in for almost 17 hours, while the user michael logged out after four minutes.
user@TryHackMe$ last
jane pts/0 10.20.30.105 Thu May 19 07:17 still logged in
peter pts/1 10.20.30.113 Thu May 19 07:13 still logged in
michael pts/0 10.20.30.1 Thu May 19 05:12 - 05:17 (00:04)
randa pts/1 10.20.30.107 Wed May 18 14:18 - 07:08 (16:49)
root tty1 Wed May 18 13:24 still logged in
[...]Finally, it is worth mentioning that sudo -l lists the allowed command for the invoking user on the current system.
Networking
The IP addresses can be shown using ip address show (which can be shortened to ip a s) or with the older command ifconfig -a (its package is no longer maintained.) The terminal output below shows the network interface ens33 with the IP address 10.20.30.129 and subnet mask 255.255.255.0 as it is 24.
user@TryHackMe$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:a2:0e:7e brd ff:ff:ff:ff:ff:ff
inet 10.20.30.129/24 brd 10.20.30.255 scope global noprefixroute dynamic ens33
valid_lft 1580sec preferred_lft 1580sec
inet6 fe80::761a:b360:78:26cd/64 scope link noprefixroute
valid_lft forever preferred_lft foreverThe DNS servers can be found in the /etc/resolv.conf. Consider the following terminal output for a system that uses DHCP for its network configurations. The DNS, i.e.ย nameserver, is set to 10.20.30.2.
user@TryHackMe$ cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain thm
nameserver 10.20.30.2netstat is a useful command for learning about network connections, routing tables, and interface statistics. We explain some of its many options in the table below.
| Option | Description |
|---|---|
-a | show both listening and non-listening sockets |
-l | show only listening sockets |
-n | show numeric output instead of resolving the IP address and port number |
-t | TCP |
-u | UDP |
-x | UNIX |
-p | Show the PID and name of the program to which the socket belongs |
You can use any combination that suits your needs. For instance, netstat -plt will return Programs Listening on TCP sockets. As we can see in the terminal output below, sshd is listening on the SSH port, while master is listening on the SMTP port on both IPv4 and IPv6 addresses. Note that to get all PID (process ID) and program names, you need to run netstat as root or use sudo netstat.
user@TryHackMe$ sudo netstat -plt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 978/sshd
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 1141/master
tcp6 0 0 [::]:ssh [::]:* LISTEN 978/sshd
tcp6 0 0 localhost:smtp [::]:* LISTEN 1141/masternetstat -atupn will show All TCP and UDP listening and established connections and the program names with addresses and ports in numeric format.
user@TryHackMe$ sudo netstat -atupn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 978/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1141/master
tcp 0 0 10.20.30.129:22 10.20.30.113:38822 ESTABLISHED 5665/sshd: peter [p
tcp 0 0 10.20.30.129:22 10.20.30.105:38826 ESTABLISHED 5723/sshd: jane [pr
tcp6 0 0 :::22 :::* LISTEN 978/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1141/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 640/chronyd
udp 0 0 0.0.0.0:68 0.0.0.0:* 5638/dhclient
udp6 0 0 ::1:323 :::* 640/chronydOne might think that using nmap before gaining access to the target machine would have provided a comparable result. However, this is not entirely true. Nmap needs to generate a relatively large number of packets to check for open ports, which can trigger intrusion detection and prevention systems. Furthermore, firewalls across the route can drop certain packets and hinder the scan, resulting in incomplete Nmap results.
lsof stands for List Open Files. If we want to display only Internet and network connections, we can use lsof -i. The terminal output below shows IPv4 and IPv6 listening services and ongoing connections. The user peter is connected to the server rpm-red-enum.thm on the ssh port. Note that to get the complete list of matching programs, you need to run lsof as root or use sudo lsof.
user@TryHackMe$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 640 chrony 5u IPv4 16945 0t0 UDP localhost:323
chronyd 640 chrony 6u IPv6 16946 0t0 UDP localhost:323
sshd 978 root 3u IPv4 20035 0t0 TCP *:ssh (LISTEN)
sshd 978 root 4u IPv6 20058 0t0 TCP *:ssh (LISTEN)
master 1141 root 13u IPv4 20665 0t0 TCP localhost:smtp (LISTEN)
master 1141 root 14u IPv6 20666 0t0 TCP localhost:smtp (LISTEN)
dhclient 5638 root 6u IPv4 47458 0t0 UDP *:bootpc
sshd 5693 peter 3u IPv4 47594 0t0 TCP rpm-red-enum.thm:ssh->10.20.30.113:38822 (ESTABLISHED)
[...]Because the list can get quite lengthy, you can further filter the output by specifying the ports you are interested in, such as SMTP port 25. By running lsof -i :25, we limit the output to those related to port 25, as shown in the terminal output below. The server is listening on port 25 on both IPv4 and IPv6 addresses.
user@TryHackMe$ sudo lsof -i :25
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1141 root 13u IPv4 20665 0t0 TCP localhost:smtp (LISTEN)
master 1141 root 14u IPv6 20666 0t0 TCP localhost:smtp (LISTEN)Running Services
Getting a snapshot of the running processes can provide many insights. ps lets you discover the running processes and plenty of information about them.
You can list every process on the system using ps -e, where -e selects all processes. For more information about the process, you can add -f for full-format and-l for long format. Experiment with ps -e, ps -ef, and ps -el.
You can get comparable output and see all the processes using BSD syntax: ps ax or ps aux. Note that a and x are necessary when using BSD syntax as they lift the โonly yourselfโ and โmust have a ttyโ restrictions; in other words, it becomes possible to display all processes. The u is for details about the user that has the process.
| Option | Description |
|---|---|
-e | all processes |
-f | full-format listing |
-j | jobs format |
-l | long format |
-u | user-oriented format |
For more โvisualโ output, you can issue ps axjf to print a process tree. The f stands for โforestโ, and it creates an ASCII art process hierarchy as shown in the terminal output below.
user@TryHackMe$ ps axf
PID TTY STAT TIME COMMAND
2 ? S 0:00 [kthreadd]
4 ? S< 0:00 \_ [kworker/0:0H]
5 ? S 0:01 \_ [kworker/u256:0]
[...]
978 ? Ss 0:00 /usr/sbin/sshd -D
5665 ? Ss 0:00 \_ sshd: peter [priv]
5693 ? S 0:00 | \_ sshd: peter@pts/1
5694 pts/1 Ss 0:00 | \_ -bash
5713 pts/1 S+ 0:00 | \_ vi notes.txt
5723 ? Ss 0:00 \_ sshd: jane [priv]
5727 ? S 0:00 \_ sshd: jane@pts/0
5728 pts/0 Ss 0:00 \_ -bash
7080 pts/0 R+ 0:00 \_ ps axf
979 ? Ssl 0:12 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
981 ? Ssl 0:07 /usr/sbin/rsyslogd -n
1141 ? Ss 0:00 /usr/libexec/postfix/master -w
1147 ? S 0:00 \_ qmgr -l -t unix -u
6991 ? S 0:00 \_ pickup -l -t unix -u
1371 ? Ss 0:00 login -- root
1376 tty1 Ss 0:00 \_ -bash
1411 tty1 S+ 0:00 \_ man man
1420 tty1 S+ 0:00 \_ less -s
[...]To summarize, remember to use ps -ef or ps aux to get a list of all the running processes. Consider piping the output via grep to display output lines with certain words. The terminal output below shows the lines with peter in them.
user@TryHackMe$ ps -ef | grep peter
root 5665 978 0 07:11 ? 00:00:00 sshd: peter [priv]
peter 5693 5665 0 07:13 ? 00:00:00 sshd: peter@pts/1
peter 5694 5693 0 07:13 pts/1 00:00:00 -bash
peter 5713 5694 0 07:13 pts/1 00:00:00 vi notes.txtStart the attached Linux machine if you have not done so already, as you need it to answer the questions below. You can log in to it using SSH: ssh user@10.10.164.73, where the login credentials are:
- Username:
user - Password:
THM6877