04. Linux for Ethical Hacking

📁 The Linux Filesystem Hierarchy — Your Map of the Target

Linux uses a single unified directory tree rooted at / (root). Unlike Windows drive letters, everything—hardware devices, network sockets, configuration files—is represented as a file somewhere in this tree. Know the layout and you know where to look for everything interesting on a target.

• / — The root of the entire filesystem. The top of the hierarchy. Everything starts here.
• /bin and /usr/bin — Essential system binaries (ls, cat, ping, bash, python3). The tools you will use constantly.
• /etc — High-value target. All system configuration files live here. Contains /etc/passwd (user accounts) and /etc/shadow (password hashes, readable only by root). Also contains SSH configuration, cron jobs, service configs, and network settings.
• /home — User home directories (/home/kali, /home/ubuntu). Contains .bash_history (command history), .ssh/ (SSH keys), and application-specific configs with credentials.
• /root — The root user's home directory. In CTF challenges, flags are almost always here. In real compromises, this is where you confirm you have root.
• /tmp — Temporary files. World-writable by all users. Attackers use /tmp to upload and execute tools after gaining a shell because it requires no special permissions to write to.
• /var/log — System logs. After a compromise, clearing or modifying these covers the attacker's tracks. Key logs: auth.log (authentication events), syslog, kern.log, web server access logs.
• /proc — A virtual filesystem that exposes real-time kernel and process information. /proc/[PID]/cmdline reveals exactly what command a running process was started with—useful for finding credentials passed as command-line arguments.
• /dev — Device files. /dev/null is a black hole (discard output). /dev/tty is the terminal. Attackers use /dev/tcp/ for bash-based network connections without needing netcat.

During a penetration test, your first actions on any new Linux system: whoami → id → uname -a → cat /etc/passwd → ls /home → sudo -l → ls /root (if accessible). This 30-second checklist tells you who you are, what system you're on, who else is here, and what you can do.

⌨️ Essential Commands — Master These Before Anything Else

Every tool in Kali builds on top of these fundamentals. If these are slow or unfamiliar, your penetration testing will be painfully slow.

Navigation and File Operations:

• pwd — Print Working Directory. Where am I in the filesystem right now?
• ls -la — List ALL files (including hidden files starting with a dot) in long format showing permissions, owner, size, and modification time. ls -la /home/target/.ssh/ reveals whether SSH keys exist.
• cd /var/log — Change Directory. cd .. goes up one level. cd ~ goes to your home. cd - goes back to the previous directory.
• cat /etc/passwd — Display the contents of any text file. The passwd file reveals all user accounts, their home directories, and their login shells.
• less /var/log/auth.log — View large files page by page. Press q to quit, / to search.
• cp source dest / mv source dest / rm -rf dir/ — Copy, move, delete files. rm -rf is irreversible—use with care.

Searching and Filtering — The Most Powerful Combo:

• grep -r "password" /etc/ — Recursively search all files in /etc/ for the string "password". Finds credentials buried in config files. Add -i for case-insensitive search.
• find / -name "*.conf" 2>/dev/null — Find all .conf files on the entire system. 2>/dev/null discards permission errors so output is clean.
• find / -perm -4000 -type f 2>/dev/null — Find all SUID binaries on the system. This is one of the first privilege escalation checks you run.
• cat /etc/passwd | grep -v nologin — Pipe output through grep to filter results. Shows only users with actual login shells (potential targets).
• strings /usr/bin/suspicious_binary — Extract readable ASCII strings from a binary. Often reveals hardcoded passwords, API keys, or C2 server addresses.

System Reconnaissance:

• whoami — Your current username.
• id — Full user ID, group IDs, and supplementary groups. If you see (sudo) or (docker) in the output, that's an escalation path.
• uname -a — Full kernel version. Used to look up kernel exploits (e.g., DirtyCow, overlayfs). Linux ubuntu 4.4.0-92-generic → search "4.4.0 exploit" on Exploit-DB.
• ps aux — List ALL running processes with their owners and full command. Look for processes running as root, or processes with credentials in their arguments.
• ss -tulpn (or netstat -tulpn) — Show all listening TCP/UDP ports and which process owns each. Reveals services running internally that aren't exposed externally—these are often less hardened.
• env — Print all environment variables. Credentials and API keys are frequently stored in environment variables by developers.
• history — View the user's command history. Treasure trove of information: previous SSH commands reveal other hosts on the network, previous curl commands may show API endpoints and tokens.

Networking:

• ip a — Show all network interfaces and IP addresses. Reveals which networks the machine is connected to—dual-homed machines with two network cards are pivot opportunities.
• ip route — Show the routing table. Reveals other network segments the machine can reach that you cannot reach directly.
• curl http://169.254.169.254/latest/meta-data/ — On AWS EC2 instances, this cloud metadata endpoint reveals IAM role credentials attached to the instance—a massive cloud privilege escalation vector.

🔑 Linux Permissions — Who Can Do What

Linux's permission model is elegant but can be catastrophically misconfigured. Understanding it is essential for both exploitation and hardening.

Every file has three permission sets for three groups: Owner (u), Group (g), Others (o). Permissions are read (r=4), write (w=2), and execute (x=1).

Reading a permission string: -rwxr-xr--

• First character: File type. - = regular file, d = directory, l = symlink
• rwx → Owner: read, write, execute (octal: 7)
• r-x → Group: read, execute only (octal: 5)
• r-- → Others: read only (octal: 4)

Setting permissions: chmod 755 script.sh sets rwxr-xr-x. chmod +x script.sh adds execute permission for all. chown user:group file changes ownership.

Special Permission Bits — Critical for Privilege Escalation:

• SUID (Set User ID, bit 4000): When set on an executable (-rwsr-xr-x, note the lowercase 's' in the owner execute field), the program runs as its OWNER regardless of who executes it. If root owns a SUID binary, everyone who runs it temporarily has root permissions during that process. This is intentional for programs like passwd (which needs root to modify /etc/shadow). But SUID on a program that can be abused to run arbitrary commands means instant root for any user.
• SGID (Set Group ID, bit 2000): Same concept but for groups. Files created in an SGID directory inherit the group of the directory rather than the creator's group—useful for shared workspaces but can be abused.
• Sticky Bit (bit 1000): On directories like /tmp, ensures users can only delete files they own—even though everyone can write to the directory.

⬆️ Privilege Escalation — From User Shell to Root

Getting a shell is just the beginning. You almost always land as a low-privilege user (www-data, nobody, a standard user account). Privilege escalation is the art of elevating from that foothold to root—giving you complete control of the system.

Enumeration First — Always: Before trying any exploit, thoroughly enumerate the system. Most privilege escalation paths require no exploit at all—just finding a misconfiguration:

• Sudo Misconfigurations: sudo -l lists what commands the current user can run as root without a password. If the output shows (ALL) NOPASSWD: /usr/bin/vim, you can run vim as root and escape to a shell with :!/bin/bash. Check GTFOBins (gtfobins.github.io) for escape techniques for hundreds of common binaries.
• SUID Binaries: find / -perm -4000 -type f 2>/dev/null. For every SUID binary found, check GTFOBins for exploitation techniques. Common vulnerable SUID programs: find, nmap (older versions), bash, python, perl, cp, mv, awk.
• Writable Cron Jobs: cat /etc/crontab and ls -la /etc/cron.*. If a script runs as root on a schedule and you can write to that script, simply add a line to create a new root user or copy /bin/bash with the SUID bit.
• Kernel Exploits: uname -r gives you the kernel version. Search it on Exploit-DB or run Linux Exploit Suggester (les.sh). Notable kernel exploits: DirtyCow (CVE-2016-5195), overlayfs privilege escalation, Dirty Pipe (CVE-2022-0847). Use kernel exploits as a last resort—they can crash the system.
• World-Writable /etc/passwd: If /etc/passwd is writable (misconfiguration), add a new root user: echo 'hacker:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd. User ID 0 = root.
• PATH Hijacking: If a SUID or sudo-run script calls a command without its full path (e.g., calls curl instead of /usr/bin/curl), you can create a malicious script named curl in a directory that comes first in the PATH and have it execute with elevated privileges.
• Docker Group Membership: id showing (docker) in your groups means you can trivially escape to root: docker run -v /:/mnt --rm -it alpine chroot /mnt sh—mounts the entire host filesystem inside a container and drops you into a root shell.

🔧 Essential Security Tools Pre-installed in Kali

These tools are the backbone of every Linux-based penetration test:

• Nmap: Network scanner (Module 03)
• Metasploit Framework (msfconsole): Exploitation framework (Module 10)
• Burp Suite: Web application proxy and testing suite (Module 09)
• Hashcat / John the Ripper: Password crackers (Module 12)
• Wireshark / tcpdump: Packet analyzers (Module 06)
• Netcat (nc): The "Swiss Army knife" of networking. Send and receive data over TCP/UDP, set up listeners, transfer files, and create bind or reverse shells: nc -lvnp 4444 (listen on port 4444)
• Gobuster / ffuf: Web directory and subdomain brute-forcers
• LinPEAS / WinPEAS: Automated privilege escalation enumeration scripts—run these immediately after gaining a shell to find every escalation path automatically

🧪 Lab Mission: Linux Navigation and Privilege Escalation

You have landed a shell as the user www-data on a target machine after exploiting a web vulnerability. Complete each task:

1. Run your system reconnaissance checklist: whoami, id, uname -a, ps aux, ss -tulpn. Document everything.
2. Search for interesting files: find / -name "*.conf" 2>/dev/null and grep -r "password" /var/www/ 2>/dev/null. What do you find?
3. Check sudo permissions: sudo -l. Is there any binary you can run as root without a password?
4. Find SUID binaries: find / -perm -4000 -type f 2>/dev/null. Look each result up on GTFOBins.
5. Check cron jobs: cat /etc/crontab. Are any scripts writable by www-data?
6. Attempt privilege escalation using your findings. Capture /root/flag.txt.

✅ Module 04 Summary

• Linux is your attack platform and your most common target. Fluency is non-negotiable.
• Know the critical filesystem locations: /etc (config), /tmp (writable), /var/log (logs to clear), /root (flags and secrets).
• Always run your 30-second recon checklist immediately after landing a shell: whoami → id → uname -a → sudo -l → find SUID.
• SUID binaries, sudo misconfigurations, writable cron jobs, and kernel exploits are the four most common privilege escalation vectors.
• GTFOBins is your reference for abusing legitimate binaries for privilege escalation and living-off-the-land techniques.