Skip to content

Internals

Linux Internals

Note

Introduction on How CPUs work

Breaking Out

binaries that can be abused to break out restricted shells

Tutorials

Tmux Tutorial
lsof tutorial

How it Works

Essentials of Linux system administration
Linux programs
dtrace scripts
How /proc works

Programs

How Git works
How Htop works
book-in-progress about the linux kernel and its insides.

Networks

Cloning a laptop over NVME TCP

Diagnose Down Servers with mtr:

root@localhost:~# mtr --report www.google.com
HOST: localhost                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 63.247.74.43                  0.0%    10    0.3   0.6   0.3   1.2   0.3
  2. 63.247.64.157                 0.0%    10    0.4   1.0   0.4   6.1   1.8
  3. 209.51.130.213                0.0%    10    0.8   2.7   0.8  19.0   5.7
  4. aix.pr1.atl.google.com        0.0%    10    6.7   6.8   6.7   6.9   0.1
  5. 72.14.233.56                  0.0%    10    7.2   8.3   7.1  16.4   2.9
  6. 209.85.254.247                0.0%    10   39.1  39.4  39.1  39.7   0.2
  7. 64.233.174.46                 0.0%    10   39.6  40.4  39.4  46.9   2.3
  8. gw-in-f147.1e100.net         100.0    10    0.0   0.0   0.0   0.0   0.0

Other Info about hops

Injecting network packets - TUN/TAP

Looking for Remote Code Execution bugs in the Linux kernel

Syscalls

Trace Network Calls:

strace -e trace=network,read,write ./test_app
[...]]
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(5555), sin_addr=inet_addr("192.168.10.1")}, 16) = 0
write(3, "Hello World!\n", 13) = 13
read(3, "Boo!\n", 2048) = 5

Using dtrace:

>>> cat traceconnect.d
/* traceconnect.d - A simple DTrace script to monitor a connect system call */
struct sockaddr_in {
	short sin_family;
	unsigned short sin_port;
	in_addr_t sin_addr;
	char sin_zero[8];
};

syscall::connect:entry
/arg2 == sizeof(struct sockaddr_in)/
{
	addr = (struct sockaddr_in*)copyin(arg1, arg2);
	printf("process:'%s' %s:%d", execname, inet_ntop(2, &addr->sin_addr),
	ntohs(addr->sin_port));
}
>>> dtrace -s traceconnect.d
process:'Google Chrome' 173.194.78.125:5222
process:'Google Chrome' 173.194.66.95:443
process:'Google Chrome' 217.32.28.199:80
process:'ntpd' 17.72.148.53:123
process:'Mail' 173.194.67.109:993

SUID

Environment variable to be removed for SUID programs

Memory

Writing to unwritable memory

Source

Using the /proc/self/mem you are able to write to memory even if it is write protected

Audio

The Linux audio stack demystified