Skip to content

Internals

Linux Internals

Note

https://cpu.land/the-basics

Breaking Out

binaries that can be abused to break out restricted shells

Tutorials

Tmux Tutorial
lsof tutorial

How it Works


Linux programs
dtrace scripts
How /proc works

How Git works
How Htop works
https://0xax.gitbooks.io/linux-insides/content/

Networks

Cloning a laptop over NVME TCP

Diagnose Down Servers with mtr:

root@localhost:~# mtr --report www.google.com
HOST: localhost                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 63.247.74.43                  0.0%    10    0.3   0.6   0.3   1.2   0.3
  2. 63.247.64.157                 0.0%    10    0.4   1.0   0.4   6.1   1.8
  3. 209.51.130.213                0.0%    10    0.8   2.7   0.8  19.0   5.7
  4. aix.pr1.atl.google.com        0.0%    10    6.7   6.8   6.7   6.9   0.1
  5. 72.14.233.56                  0.0%    10    7.2   8.3   7.1  16.4   2.9
  6. 209.85.254.247                0.0%    10   39.1  39.4  39.1  39.7   0.2
  7. 64.233.174.46                 0.0%    10   39.6  40.4  39.4  46.9   2.3
  8. gw-in-f147.1e100.net         100.0    10    0.0   0.0   0.0   0.0   0.0

Other Info about hops

Injecting network packets - TUN/TAP

https://xairy.io/articles/syzkaller-external-network

Syscalls

Trace Network Calls:

strace -e trace=network,read,write ./test_app
[...]]
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(5555), sin_addr=inet_addr("192.168.10.1")}, 16) = 0
write(3, "Hello World!\n", 13) = 13
read(3, "Boo!\n", 2048) = 5

Using dtrace:

>>> cat traceconnect.d
/* traceconnect.d - A simple DTrace script to monitor a connect system call */
struct sockaddr_in {
	short sin_family;
	unsigned short sin_port;
	in_addr_t sin_addr;
	char sin_zero[8];
};

syscall::connect:entry
/arg2 == sizeof(struct sockaddr_in)/
{
	addr = (struct sockaddr_in*)copyin(arg1, arg2);
	printf("process:'%s' %s:%d", execname, inet_ntop(2, &addr->sin_addr),
	ntohs(addr->sin_port));
}
>>> dtrace -s traceconnect.d
process:'Google Chrome' 173.194.78.125:5222
process:'Google Chrome' 173.194.66.95:443
process:'Google Chrome' 217.32.28.199:80
process:'ntpd' 17.72.148.53:123
process:'Mail' 173.194.67.109:993

SUID

Environment variable to be removed for SUID programs

Memory

Writing to unwritable memory

Source

Using the /proc/self/mem you are able to write to memory even if it is write protected

Audio

The Linux audio stack demystified