Training

Linux command line and basics of Linux

It is important to understand the filesystem structure to understand how the operating system works. The top most directory is called the root directory. Since the file system is organised in a hierarchy, every file and folder is located under the root directory. Here is the most common layout of the root directory:

• /bin - contains programs in the form of binary files that user can run

• /boot - contains the files needed to start the system

• /dev - used to represent devices(mostly virtual) that correspond to particular functions

• /etc - contain configuration files for services on a computer and some system files

• /usr - contain executable files(programs) for most system programs

• /home - contains home directories for personal users

• /lib - contain libraries(which contain extra functions) that are used by executable files in the /bin directories

• /var - mostly contain files that store information about how services run(also known as log files)

• /proc - contains information about processes running on the system

• /mnt - used to mount file systems. Mounts are usually used when users want to access other file systems on their system

• /opt - contains optional software

• /media - contains removable hardware e.g. USB

• /tmp - contains temporary files. This folder is usually cleared on reboot so doesn’t store persistent files

• /root - contains files created by the super user(more on this later)

The most common way an attacker gains access to the system is through a shell. A shell is used to run system commands (like a terminal). The most command shells are:

• /bin/sh

• /bin/bash

The first thing an attacker would do is to ls list the directories. The man command followed by the command we want to use gives us a detailed description of the command.

The next thing an attacker would is trying to find files of interest. One common file of interest is .bash_history file, which keeps track of what commands the user has run. This file is useful to check as it gives an indication of what a user has been doing - sometimes a user may access a potentially interesting file or run commands.

Another file an attacker would access would be /etc/passwd. This file gives information about all users on the machine. The format of the file contants is like this:

username[1]:x[2]:userid[3]:groupid[4]:useridinfo[5]:/folder/location[6]:/shell/location[7]

• 1 - username

• 2 - usually an x character and is used to represent their passwords

• 3 - user ID

• 4 - group ID

• 5 - extra comments about the user

• 6 - home directory

• 7 - shell location -> most actual users will use the aforementioned shells, but accounts can also belong to particular services. These services won't have paths to shells but, will have files like /sbin/nologin which means that the user can't access this account through a shell (sometimes not at all).

Since /etc/passwd is word readable, it makes a good POC to show that you have access to the system. A similar file is /etc/shadow that actually contains the user's passwords.

To better search for files, hackers use the file command and the grep command. The first search for a specific file in the filesystem, while the last lets him look for specific words or patterns inside that file. Commands can also be piped with | , which mean we can use a command followed by another command.

In any computer system there has to be an administrator user. In linux, this user is referred to as the super user and normally called root. The root user will always have an ID of 0. Normal users can also be given administrator privileges, and this is shown in the /etc/sudoers file. The file contains entries in the form:

user (host)=(user:group) commands

This means the user on the host name is allowed to run the command as a particular user.

grep -l -e "password" -f *

• -l - tells grep to output the filename

• -e - specifies the string that we are looking for

• -f - tells grep which files to search (* means we want to search in all files inside the directory)

After going around in circles trying to get privileges to access the /etc/shadow file, I realized that in the supporting material they mentioned backup files (.bak). So maybe there is a backup of the shadow file somewhere, and the name of the file will logically be shadow.bak.