# Hackathon 0: Linux Fundamentals

This is a hands-on introduction walkthrough for getting familiar with Linux operating system and in general as an introduction to technical inforamtion before starting a Capture The Flag.

The basic commands in Linux is of course browsing the folders etc. So open a terminal and run some commands to check the folders.

Google Colab is a cloud-based Jupyter Notebook environment that allows you to write and execute Python code in your browser. To upload files, you can use from google.colab import files and then files.upload() to select and upload files from your local machine. Uploaded files are stored in the virtual environment's temporary file system. To run shell commands (like in a terminal), you can prefix them with an exclamation mark (!). For example, !ls lists files, and !pip install installs Python packages. These commands are executed in the notebook's underlying Linux environment.

These commands execute in a Linux-based virtual machine provided by Google in the cloud, giving you access to a temporary, isolated environment for running code and installing dependencies. While it behaves similarly to a Docker container in terms of isolation, Colab actually runs on a managed Google Cloud VM. The environment is ephemeral, meaning all files and installations are lost when the session ends unless you save them externally (e.g., to Google Drive).

## 01. List files (ls)

The following command provides the list of files

In [None]:
!ls -l

The output indicates that there is a single directory named sample_data located in the current directory. This directory is owned by the root user and the root group. It has permissions set to allow the owner to read, write, and execute; members of the group to read and execute; and all other users to also read and execute. The directory was last modified on July 16 at 13:48. It occupies 4096 bytes (4 KB) of disk space, which is typical for an empty directory or one containing only minimal metadata. The "total 4" at the top refers to the total number of 1 KB blocks used by the listed entries—in this case, just the sample_data directory.

## 02. Current Folder (pwd)
You can see in which folder you are right now.

In [None]:
!pwd

The result of the pwd command, which shows /content, indicates that the current working directory is /content. This means that any files you create, access, or list using commands like ls are located within this directory. In environments such as Google Colab, /content is the default location where files are stored and operations are performed unless the directory is changed explicitly. Therefore, if a directory named sample_data appears in a listing, its full path would be /content/sample_data.

## 03. Create directory, change directory
To go one folder higher or deeper use cd

In [None]:
!mkdir testfolder
!ls

In [None]:
%cd ..

This command changes the current working directory to the parent directory (one level up). It’s a magic command specific to Jupyter notebooks, not a regular shell command.



In [None]:
!ls -l

This output shows the detailed listing (ls -l) of the root directory (/) in a Google Colab virtual machine. It reveals the main system folders like bin, boot, etc, home, usr, and var, along with symbolic links (like bin -> usr/bin) and files. Each line shows permissions, ownership (mostly root), size, and last modification date. This reflects a typical Linux filesystem hierarchy running inside the isolated Colab environment, where you have access to standard directories and system files, but limited write permissions outside certain folders like /content or /tmp.


## 04. Find your Hostname

Executing !hostname in Google Colab returns a string of characters like "58fc39a04e6b", which is the hostname of the virtual machine running the code. This string serves as a unique identifier for the virtual machine instance.

In [None]:
!hostname

In a normal Linux system the command will return the hostname of the machine, which is typically set during the system configuration. The hostname could be something like "mycomputer" or "example.com", depending on how the system administrator has configured it. It's usually a user-friendly name rather than a randomly generated string like in the case of Google Colab.

## 05. Understanding the System: Kernel Information

### Command: `uname -a`
```bash
uname -a
```
The `uname -a` command provides comprehensive information about the system, including the kernel version, machine hardware name, processor type, and operating system. This information is crucial for identifying potential kernel vulnerabilities that could be exploited.

In [None]:
!uname -a

The command uname -a is a Unix/Linux command that retrieves system information about the operating system.

1. Kernel Version: "6.1.85+ #1 SMP PREEMPT_DYNAMIC" - This indicates the version of the Linux kernel running on the system. The kernel is the core component of the operating system responsible for managing system resources and facilitating communication between software and hardware.

2. System Time: "Sun Apr 28 14:29:16 UTC 2024" - This specifies the date and time when the kernel was built or when the system was last booted. In this case, the system was last booted on Sunday, April 28, 2024, at 14:29:16 UTC.

3. Architecture: "x86_64 x86_64 x86_64" - This indicates the system architecture, which is x86_64. It means that the system is capable of running 64-bit software. The repetition of "x86_64" suggests that the system has multiple CPUs or CPU cores, all of which are 64-bit capable.

4. Operating System: "GNU/Linux" - This specifies the operating system type. In this case, it's a Linux-based operating system.

## 06. Who Am I?

### Command: `whoami`
```bash
whoami
```
The `whoami` command simply returns the username of the current user. This can be useful for quickly verifying your user identity, especially when switching between different accounts or using sudo.

In [None]:
!whoami

When the response returns as "root," it denotes a significant level of authority. "Root" isn't merely a username; it symbolizes the superuser account, embodying the pinnacle of system access. As the superuser, one wields unparalleled control over the system's resources and functionalities. With the power to execute commands, modify critical system files, and administer user privileges, the root user stands as the ultimate arbiter of the system's fate. However, such omnipotence demands vigilance, as even a single erroneous command can have far-reaching consequences, potentially jeopardizing the stability and security of the entire system. Thus, while the root user commands immense authority, exercising it judiciously is paramount to ensuring the integrity and reliability of the system.

Run the `whoami` command. What is the current username you are logged in with?

## 07. Distribution Information

### Command: `lsb_release -a`
```bash
lsb_release -a
```
The `lsb_release -a` command provides detailed information about the Linux distribution. This includes the distributor ID, description, release number, and codename. This information is essential for identifying the exact OS version in use.

In [None]:
!lsb_release -a

Google Colab, being a cloud-based service, doesn't include all the components and modules typically found in a full Linux distribution like LSB.

---

The Linux Standard Base (LSB) is a project initiated by the Linux Foundation to standardize the structure and components of Linux distributions. Its primary goal is to increase compatibility among different Linux distributions by defining a common set of standards and APIs (Application Programming Interfaces). This helps developers create software that can run seamlessly across various Linux distributions without needing to be modified for each specific distribution.

Key components of the LSB include:

1. Filesystem Hierarchy Standard (FHS): Defines the directory structure and organization of files within a Linux system, ensuring consistency across distributions.

2. Binary Compatibility: Specifies standards for binary executables and libraries, enabling applications compiled on one LSB-compliant system to run on another without compatibility issues.

3. Core Libraries: Defines a set of core libraries and APIs that must be present on LSB-compliant systems, ensuring a common foundation for software development.

4. Command-line Interfaces (CLI): Specifies standard command-line utilities and options, promoting uniformity in how users interact with the system.

5. Packaging Formats: Recommends packaging formats and tools for distributing software, facilitating software installation and management across distributions.

## 08. OS Release Information

### Command: `cat /etc/*-release`
```bash
cat /etc/*-release
```
The `/etc/*-release` files contain release information for the operating system. These files can include details like the OS name, version, and more. They provide a broader range of details compared to `lsb_release`.

In [None]:
!cat /etc/*-release

* Distributor ID: Indicates that the distribution is Ubuntu.
* Release: Specifies the version of Ubuntu (22.04).
* Codename: Gives the code name of the Ubuntu release (Jammy).
* Description/Pretty Name: Provides a detailed description of the Ubuntu version, including the LTS (Long-Term Support) designation and the code name.
* Version ID: Specifies the version number of Ubuntu (22.04).
* Version: Further details the version as 22.04.3 LTS (Jammy Jellyfish).
* Version Codename: Reiterates the code name of the Ubuntu release (jammy).
* ID/Like: Mentions that Ubuntu is similar to Debian, a popular Linux distribution.
* Home URL/SUPPORT_URL/BUG_REPORT_URL/PRIVACY_POLICY_URL: Provide links for * Ubuntu's home page, support, bug reporting, and privacy policy.
* UBUNTU_CODENAME: Again specifies the code name of the Ubuntu release (jammy).

## 09. Kernel Version

### Command: `uname -r`
```bash
uname -r
```
The `uname -r` command returns only the kernel version, making it a quick way to check the kernel version without the extra details provided by `uname -a`.

In [None]:
!uname -r

The kernel release version of the current operating system. In your provided output "6.1.85+", "6.1.85" represents the kernel version, and the additional "+" symbol typically indicates that the kernel version includes additional patches or modifications beyond the base version.

### Exercise 6: Check Kernel Version

Run the `uname -r` command. What is the kernel version of your system?

## 10. System Architecture

### Command: `arch`
```bash
arch
```
The `arch` command displays the architecture of the machine, such as `x86_64` for 64-bit systems. This is useful for understanding the hardware capabilities of the system.

Run this command to determine the system architecture:

In [None]:
!arch

This means that your system supports 64-bit instructions and can run 64-bit software.

## 11. System Uptime

### Command: `uptime`
```bash
uptime
```
The `uptime` command shows how long the system has been running, the number of users, and the system load averages. This can be useful for understanding the system's stability and current load.

Use this command to check the system's uptime and load:

In [None]:
!uptime

* Uptime: The system has been up
* Users: Currently, there are no users logged in.
* Load Average: The load average values represent the system load over the last 1, 5, and 15 minutes, respectively. In this case, the load averages are 0.35, 0.24, and 0.20. These numbers indicate the average number of processes that are either in a runnable state or waiting for CPU time over the specified time intervals. Lower load averages generally indicate a system that is not heavily loaded.

## 12. CPU Information

### Command: `lscpu`
```bash
lscpu
```
The `lscpu` command provides detailed information about the CPU architecture, including the number of CPUs, threads, cores, sockets, and more. This information is crucial for performance tuning and understanding the processing power of the system.

Use this command to gather detailed CPU information:

In [None]:
!lscpu

## 13. Memory Usage

### Command: `free -h`
```bash
free -h
```
The `free -h` command displays the system's memory usage in a human-readable format. It shows the total, used, and free memory, along with buffers and cache used by the kernel.

Run this command to check the memory usage of the system:

In [None]:
!free -h

## 14. Disk Usage

### Command: `df -h`
```bash
df -h
```
The `df -h` command displays disk space usage in a human-readable format. It shows the total, used, and available space on all mounted filesystems.

Use this command to check the disk usage on the system:

In [None]:
!df -h

From the output you provided, it seems to list various filesystem types mounted on different directories within the Linux filesystem hierarchy. Here's a breakdown:

1. overlay: This is likely the root filesystem (or "/" directory) of the system. It's utilizing the overlay filesystem, which is commonly used in containerization technologies like Docker.

2. tmpfs: This is a temporary filesystem stored in the system's memory (RAM). It's often used for temporary files and directories that don't need to be persisted across reboots.

3. shm: This is another temporary filesystem, specifically a shared memory filesystem. It's used for creating shared memory segments that can be accessed by multiple processes.

4. /dev/root: This appears to be a block device filesystem mounted at the root directory ("/"). It's likely the primary filesystem for the system, containing the operating system and other essential files.

5. /dev/sda1: This is a block device filesystem, typically representing a partition on a physical disk (such as a hard drive or SSD). It's mounted at the directory specified, providing additional storage space for the system.

6. tmpfs: Another temporary filesystem stored in memory.

Linux (Debian distributions or Ubuntu) uses apt to simplify the process of software management on Debian-based Linux systems, providing users with a convenient and efficient way to install, update, and remove software packages.

The first command, "!apt update", triggers an update of the package information sourced from the repositories configured on the system. This ensures that the user has access to the latest software updates and versions. Following this, the second command, "!apt install hwinfo", proceeds to install the "hwinfo" package using the "apt" package manager.

In [None]:
!apt update
!apt install hwinfo
!apt install net-tools

The command !apt update is used to refresh the local package index by retrieving the latest package information from the repositories. This ensures that you have up-to-date information about available software versions and dependencies. It's important to run this before installing any new packages to avoid issues with outdated package metadata. The second command, !apt install hwinfo, installs the hwinfo utility, which is used to display detailed information about the hardware components of the system. The third command, !apt install net-tools, installs a collection of networking tools, such as ifconfig and netstat, which are useful for diagnosing and managing network interfaces. The ! prefix is used in environments like Jupyter or Google Colab to indicate that the command should be run in the system shell rather than in the Python interpreter.

## 15. Hardware Information

### Command: `hwinfo`
```bash
sudo hwinfo
```
The `hwinfo` command provides detailed information about the hardware present in the system. It includes details about CPU, memory, disks, network interfaces, and more. This command is often used for diagnosing hardware issues or for inventory purposes.

Gather comprehensive hardware details using this command:

In [None]:
!sudo hwinfo

## 16. Network Configuration

### Command: `ifconfig`
```bash
sudo ifconfig
```
The `ifconfig` command displays the network configuration for all network interfaces on the system. It includes details about IP addresses, MAC addresses, and more. The ifconfig command is included in the package namely net-tools and provides a set of command-line tools for network monitoring and configuration.

Check the network configuration using this command:

In [None]:
!sudo ifconfig

The provided output details the configuration and statistics of the network interface "eth0". It reveals that the interface is currently active and operational, supporting broadcasting and multicast traffic. The IP address assigned to the interface is "172.28.0.12

The IP address "172.28.0.12" is often associated with Docker containers, especially when using Docker in a local development environment or within a containerized setup. Google Colab's backend infrastructure utilizes Docker or similar containerization technologies internally, and the reported IP address reflects this.

## 17. Network Statistics

### Command: `netstat -an`
```bash
sudo netstat -an
```
The `netstat -an` command provides detailed information about network connections, including listening and established connections, along with their state.

Use this command to analyze network statistics:

In [None]:
!sudo netstat -an

The provided network socket entries illustrate the status of TCP connections on a system. The first line, "tcp 0 0 172.28.0.12:6000 0.0.0.0:* LISTEN", indicates that the system is actively listening for incoming connections on port 6000 of the local IP address "172.28.0.12". The IP address "0.0.0.0" denotes that it's listening on all available network interfaces. The second line, "tcp 0 0 172.28.0.12:6000 172.28.0.12:60066 ESTABLISHED", reveals an established connection between the local machine and a remote host located at IP address "172.28.0.12" on port "60066". This connection is in the "ESTABLISHED" state, indicating that data transfer is actively occurring between the local and remote hosts. Such information is vital for network administrators and system operators to monitor and manage network activity, ensuring the efficient functioning and security of the system.

For TCP connections, details include the protocol (TCP), the Receive and Send queues (Recv-Q and Send-Q), the local and foreign addresses, and the state of the connection. The state indicates whether the connection is listening for incoming requests, established, or in a time-wait state after closure.

For UDP connections, only the local and foreign addresses are shown, along with the protocol (UDP).

Additionally, the text presents active UNIX domain sockets, specifying the protocol (Unix), reference count, flags, type, state, and the corresponding file path for each socket.

This summary provides a comprehensive snapshot of the network activity and socket usage on the system, facilitating network monitoring and troubleshooting tasks.

## 18. Environmental Variables


The output of the env command provides a list of environment variables that are set in the current shell session, each specifying certain configurations and settings for the environment. For example, SHELL=/bin/bash indicates that the default shell for the session is Bash, a popular Unix shell. NV_LIBCUBLAS_VERSION=12.2.5.6-1 specifies the version of the NVIDIA cuBLAS library, a GPU-accelerated library for dense linear algebra computations, used for high-performance computing tasks. NVIDIA_VISIBLE_DEVICES=all signifies that all available NVIDIA GPU devices are accessible, which is particularly relevant in environments that support GPU acceleration, like Google Colab. Lastly, COLAB_JUPYTER_TRANSPORT=ipc indicates the transport mechanism used by Jupyter in Colab, where ipc (inter-process communication) is utilized for communication between processes. These environment variables configure and control various aspects of the system's behavior and resource usage, facilitating customized and efficient execution of tasks within the environment.



In [None]:
!env

## 19. PS command

The ps command in Linux is used to display information about the currently running processes. It can provide a snapshot of the processes running at a given moment.

Show all processes:

```
ps -e
```

```
ps -A
```

Detailed information about all processes:
```
ps -ef
```
Show processes in a user-oriented format:
```
ps -u username
```
Display processes in full-format listing:
```
ps -f
```
Display processes by a specific user:

```
ps -u username
```
Show process tree:

```
ps -e --forest
```

Here’s an example script to monitor CPU and memory usage of processes:

```
#!/bin/sh

echo "Top CPU consuming processes:"
ps -eo pid,comm,%cpu --sort=-%cpu | head -n 10

echo ""
echo "Top memory consuming processes:"
ps -eo pid,comm,%mem --sort=-%mem | head -n 10
```

In [None]:
!ps -e

In [None]:
!ps -eo pid,comm,%cpu --sort=-%cpu | head -n 10

The command ps -eo pid,comm,%cpu --sort=-%cpu | head -n 10 is used to display the top 10 running processes on a Unix-like system based on their CPU usage. Here's what it does in detail: the ps -eo option formats the output to show the process ID (pid), the command name (comm), and the percentage of CPU usage (%cpu). The --sort=-%cpu flag sorts the processes in descending order of CPU usage, so the most CPU-intensive processes appear at the top. Finally, head -n 10 limits the output to the top 10 lines.

From the output, we can see that the process with the highest CPU usage is a defunct Python process (pytho <defunct>) using XXX% of the CPU. Defunct or "zombie" processes have completed execution but still occupy an entry in the process table, usually because their parent process hasn't yet read their exit status. Other active processes include node, python3, and jupyter-notebook, indicating that the environment is running web-based notebooks (like in Google Colab) and scripts. Processes such as colab-fileshim and oom_monitor.sh are specific to Colab, handling file syncing and memory monitoring respectively. The process docker-init is likely the initial process within the containerized environment, reflecting that Colab runs its kernels inside containers.

## 20. Top command
The top command in Linux provides a dynamic, real-time view of the system’s running processes, similar to the Task Manager in Windows. It displays system summary information and a list of processes or threads currently being managed by the Linux kernel.

System Summary:
- uptime: How long the system has been running.
- users: Number of logged-in users.
- load average: System load averages for the last 1, 5, and 15 minutes.
- tasks: Total number of tasks and their states (running, sleeping, stopped, zombie).
- CPU usage: Percentage of CPU time used by different categories (user, system, idle, etc.).
- Memory usage: Total, used, free, and buffer/cache memory.
- Swap usage: Total, used, and free swap space.

In [None]:
!top

In [None]:
!apt install htop

# 21. Netstat

The netstat command in Linux provides information about network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

List all active connections and listening ports:

```
netstat -a
```
Show only listening ports:

```
netstat -l
```
Display routing table:

```
netstat -r
```
Show network interface statistics:

```
netstat -i
```
Show extended information (includes user and inode):
```
netstat -e
```
Display TCP connections:
```
netstat -t
```
Display UDP connections:
```
netstat -u
```
Show raw socket connections:
```
netstat -w
```
Show summary statistics for each protocol:
```
netstat -s
```

In [None]:
!apt install net-tools

In [None]:
!netstat -tuln

# 22. Sudo -l

The sudo -l command in Linux is used to list the allowed (and forbidden) commands for the invoking user on the current host. This command helps users and administrators understand what commands the user can run with elevated privileges without actually running them.

In [None]:
!sudo -l

This output comes from the sudo -l command, which lists the allowed sudo privileges for the user — in this case, for the root user on the host XXXXXXX. The system is showing the default sudo security policies and privileges that apply to the root user on a machine identified by the hostname XXXXXXX (which is likely a container or virtual machine). The Matching Defaults entries section lists global settings for sudo, including env_reset, which clears most environment variables for security; mail_badpass, which sends mail if a user enters an incorrect password; secure_path, which defines a safe execution path for sudo commands; and use_pty, which forces sudo commands to run within a pseudo-terminal to help logging and prevent certain exploits. The second part, User root may run the following commands, indicates that the root user has unrestricted sudo access — meaning it can execute any command as any user or group, as denoted by (ALL : ALL) ALL. This reflects full administrative privileges on the system.

The first ALL means that root can run commands as any user, including root and any other user on the system.
The second ALL means that root can run commands as any group.
The final ALL means that root can run any command.

In [None]:
!ps aux | grep sudo

The columns are

USER     |  PID |   %CPU |  %MEM    |  VSZ   |  RSS   |  TTY    |    STAT START   |   TIME    |   COMMAND

shows all processes related to sudo. This command uses ps aux to list all running processes and grep sudo to filter and display only those that include sudo in their command or output. Both processes have very low CPU and memory usage and are not associated with a terminal session, as indicated by the question mark in the TTY column. This type of output is typical when using grep to search the process list, as the command matches its own invocation in the results.

### 23. CRON
The /etc/cron.* directories contain scheduled tasks managed by the cron system on Unix-like operating systems. Specifically, /etc/cron.d is a directory where individual cron job files can be placed; these files define commands and schedules for automatic execution. In your example, it contains a single file named e2scrub_all, which likely relates to filesystem maintenance tasks. The /etc/cron.daily directory holds scripts that are executed once every day, and here it includes scripts like apt-compat for package management compatibility, dpkg related to Debian package tasks, and man-db which updates manual page databases. Similarly, /etc/cron.weekly contains scripts that run once a week, with man-db being one such weekly maintenance script in your listing. Each directory and script has specific permissions and ownership (root:root), ensuring only privileged users can modify these important automated tasks. Together, these cron directories organize and automate routine system maintenance and housekeeping jobs at different time intervals.

In [None]:
!ls -la /etc/cron.*

ls: List directory contents.
- -la: Use two options together:
0 -l: Use a long listing format.
- -a: Include hidden files (those starting with a dot .).
- /etc/cron.*: Specifies the path and pattern to match files and directories:
- /etc/: The directory where the search is focused.
- cron.\*: A wildcard pattern that matches any file or directory name starting with cron..

The cron.* pattern typically matches the following files and directories in /etc:

- /etc/crontab: The system-wide crontab file.
- /etc/cron.d/: A directory where individual cron job files can be placed.
- /etc/cron.daily/: A directory for scripts that are executed daily.
- /etc/cron.hourly/: A directory for scripts that are executed hourly.
- /etc/cron.monthly/: A directory for scripts that are executed monthly.
- /etc/cron.weekly/: A directory for scripts that are executed weekly.

#24. Lynis
Lynis is an open-source security auditing tool for Unix-based systems, including Linux and macOS. It helps system administrators and security professionals to perform in-depth security scans and audits, identify vulnerabilities, and provide recommendations for hardening the system.

In [None]:
!apt install lynis

In [None]:
!sudo lynis audit system

**Key Sections in Lynis Output:**
- System Tools: Checks the presence and versions of essential security tools.
- Boot and Services: Reviews boot loader files and running services.
- Kernel Hardening: Examines kernel parameters and hardening options.
- File Integrity: Checks for tools and configurations related to file integrity monitoring.
- User Accounts: Inspects user account configurations and policies.
- Malware Scanners: Looks for installed malware scanners and configurations.
- Hardening Index: Provides an overall hardening score and suggests areas for improvement.

## Conclusion

In this guide, we've explored a variety of manual enumeration techniques using Linux commands. These techniques provide valuable insights into the target system's configuration, which is crucial for identifying potential vulnerabilities and securing the system against cyber threats.

By mastering these commands and understanding their output, cybersecurity professionals can effectively assess the security posture of their systems and take proactive measures to mitigate risks.