EvilSaint Wordmark

Finding Interesting Files

29 Jun 2022, 9:06 p.m.
20 Apr 2022, 11:13 a.m.
02:41 minutes

A significant part of our job when searching around a target system is to look for interesting files. Whether we have a need to look for SSH keys, Bash History files or database backups the commands typically all follow the same syntax. This article will look at using basic Linux commands to find and discover files.

    Finding Interesting Files

    Find SUID files

    find / -perm -4000 -type f 2>/dev/null

    Find SUID files owned by root

    find / -uid 0 -perm -4000 -type f 2>/dev/null

    Find GUID files

    find / -perm -2000 -type f 2>/dev/null

    Find world-writeable files

    find / -perm -2 -type f 2>/dev/null

    Find world-writeable files excluding those in /proc

    find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

    Find word-writeable directories

    find / -perm -2 -type d 2>/dev/null

    Find rhost config files

    find /home –name *.rhosts -print 2>/dev/null

    Find *.plan files, list permissions and cat the file contents

    find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;

    Find hosts.equiv, list permissions and cat the file contents

    find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;

    See if you can access other user directories to find interesting files

    ls -ahlR /root/

    Show the current users’ command history

    cat ~/.bash_history

    Show the current users’ various history files

    ls -la ~/.*_history

    Can we read root’s history files

    ls -la /root/.*_history

    Check for interesting ssh files in the current users’ directory

    ls -la ~/.ssh/

    Find SSH keys/host information

    find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la

    Check Configuration of inetd services

    ls -la /usr/sbin/in.*

    Check log files for keywords (‘pass’ in this example) and show positive matches

    grep -l -i pass /var/log/*.log 2>/dev/null

    List files in specified directory (/var/log)

    find /var/log -type f -exec ls -la {} ; 2>/dev/null

    List .log files in specified directory (/var/log)

    find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null

    List .conf files in /etc (recursive 1 level)

    find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null

    As above

    ls -la /etc/*.conf

    Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located

    find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null

    List open files (output will depend on account privileges)

    lsof -i -n

    Can we read roots mail

    head /var/mail/root
    Querying Active Directory With PowerShell
    Windows Registry

    Captcha: What's the standard TCP port of the following service?

    captcha

    0 comments