environment-enumeration

Basic System Information

whoami
id
hostname
ip a
sudo -l

OS and Kernel

cat /etc/os-release
echo $PATH
env
uname -a
lscpu
cat /etc/shells

Defenses

(Commands may require root or sudo)

 iptables -L
 apparmor_status
 sestatus
 ufw status
 fail2ban-client status
 snort -V

Drives and Shares

lsblk
lpstat
cat /etc/fstab
route -n
netstat -rn
cat /etc/resolv.conf
arp -a

Users and Groups

cat /etc/passwd
cat /etc/passwd | cut -f1 -d:
grep "*sh$" /etc/passwd
cat /etc/group
getent group sudo
ls /home

File System and Hidden Files/Directories

df -h
cat /etc/fstab | grep -v "#" | column -t
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep htb-student
find / -type d -name ".*" -ls 2>/dev/null
ls -l /tmp /var/tmp /dev/shm

---

---

Once you land on a system you must check several key details:

OS version

cat /etc/os*

Kernel version

uname -r

Running services

ps aux | grep root

Installed packages and version

Logged in users

User home directories

ls /home

Check for ssh keys

ls -l ~/.ssh

Check shell history

history

Find all history files

find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Sudo privileges & version

sudo -l

sudo -V

Check .config files

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

Readable shadow file

ls -la /etc/shadow

Password hashes in /etc/passwd

cat /etc/passwd

Cron jobs

ls -la /etc/cron.daily/

Unmounted file systems and additional drives

lsblk

SUID and GUID permissions binaries

Writable directories

find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

Writable files

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

open ports

netstat -tupln

Information gathering

System awareness

whoami

id

hostname

ifconfig

ip a

Os version

cat /etc/os-release

Kernel version

uname -r

Running services

See system path

echo $PATH

Environment variables

env

Kernel version

uname -r && cat /proc/version

Get information about the CPU

lscpu

Get login shells

cat /etc/shells

Defence in place

exec shield
Iptables
appArmor
SELinux
Fail2ban
Snort
Uncomplicated firewall

Get drive information

lsblk

Get mounted or unmounted drive

cat /etc/fstab

Routing/ARP table

route

arp -a

DNS information

cat /etc/resolv.conf

Existing users

cat /etc/passwd | cut -f1 -d:

Check user login shell

grep "*sh$" /etc/passwd

Get group information

cat /etc/group

List group members

getent group sudo

Check SSH keys

Get .bash_history information

cat ~/.bash_history

Get mounted file systems (search for .conf and .config file in them)

df -h

Get unmounted drive

cat /etc/fstab | grep -v "#" | column -t

Get all hidden files

find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep <username>

Get all hidden directories

find / -type d -name ".*" -ls 2>/dev/null

Check temp files

Three are three tmp file in the system and /var/tmp retention time is longer.

ls -l /tmp /var/tmp /dev/shm

Check log files (Get interesting files)

cat /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/ssh/sshd_config /etc/ssh/ssh_config /etc/sudoers /etc/crontab /etc/fstab /etc/network/interfaces /etc/resolv.conf $(ls /var/log/*) /proc/cpuinfo /proc/meminfo /root/.bash_history 2>/dev/null

Analysis a binary

ltrace name

Ping

strace ping -c1 10.129.112.20

last login

lastlog || W || finger

Information about the system

find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Check Installed software

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

Check GTFO bins against installed packages

GREEN='\033[0;32m'; NC='\033[0m'; for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^\s*$/d'); do if grep -F -q "$i" installed_pkgs.list; then echo -e "${GREEN}Check GTFO for: $i${NC}"; fi; done

Get all binaries

ls -l /bin /usr/bin/ /usr/sbin/

Find .sh scripts

find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"