Enumerating Linux
https://medium.com/@0xrave/extplorer-proving-grounds-practice-walkthrough-73c076002709
Upgrade shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
18.2.1 - Understanding file & users privileges on Linux
Inspect file permission and ownership
ls -l /etc/shadow
Check for bad file permissions
root:$1$uF5XC.Im$8k0Gkw4wYaZkNzuOuySIx/:16902:0:99999:7::: vcsa:!!:15422:0:99999:7:::
pcap:!!:15422:0:99999:7:::
18.2.2 - Manual enumeration
All files and directories have a single owner and group. Permissions are defined in terms of read/write/execute operations. There's 3 sets of permissions, owner, group and all other users (known as 'world'). Only the owner can change permissions.
Identify user context and inspect UIDs and GIDs (User & Group IDs) root has UID 0. along with any additional groups our user is a part of (check the user's privilege level). This command prints both real and effective User and Group IDs.
id
Print the real, effective, saved and fule system user / group IDs of the current process (i.e. our shell)
cat /proc/$$/status | grep "[UG]id"
Check sudo privileges (look for LD_PRELOAD with the env_keep option too)
sudo -l
Check earlier commands the user was using
history
Check network adapters and network routes for double confirmation
ifconfig
ip route
Check common file locations
cat /home/user
cat /var/backup
cat /var/logs
cat /var/www
cat /var/mail
cat /tmp
cat /dev/shm
Enumerate all users by looking at the /etc/passwd file where users are stored, then filter for ones with home dirs for likely real users.
cat /etc/passwd
cat /etc/passwd | grep home
Show groups. Users have a primary group and can have multiple secondary (or supplementary groups) By default the user's group is the same name as their user account.
cat /etc/group
Discover the hostname
hostname
Check OS release and version as well as the kernel
cat /etc/issue
cat /etc/os-release
uname -a
Check OS info and if GCC is installed
cat /proc/version
Basic checking for open ports on local/remote host
ss -ntplu
Check existing communications; all, TCP, UDP, listening, usage statistics and service names/UIDs, interface statistics respectively
netstat -a
netstat -at
netstat -au
netstat -l
netstat -s
netstat -tp
netstat -i
Use ps aux to list system processes. a and x list all processes without a tty (terminal type) and the u flag lists all processes in a user-readable format. Latter command shows process tree.
ps aux
ps axjf
List tcp/ip configuration on all available adapters
ip a
Show environment variables (PATH var may have a compiler or scriptig language (e.g. Python) that could be used to run code on the target system or leveraged for privesc)
env
Display routing tables, will be route or routel depending on the distro
routel
route
Display active connections and listening ports. -a lists all connections, avoid hostname resolution (which may stall CE) with -n, list the process the connection belongs to with -p
ss -anp
We may be able to glean information about a firewall with iptables which dumps the firewall configuration into a file specified by the user
cat /etc/iptables/rules.v4
List applications installed in Debian
dpkg -l
Search every directory writable by the user on the target system
find / -writable -type d 2>/dev/null
/etc/fstab lists all drives mounted at boot time, mount lists all mounted files
cat /etc/fstab
mount
View all available disks, look for missing MOUNTPOINT or custom mountpoints
lsblk
Enumerate loaded kernel modules, look for uncommon filesystem modules indicating a hidden drive.
lsmod
Use modinfo to find out more about a specific module
/sbin/modinfo libata
Check what a file does when it tries to read or open a file with strace. Check more about this with PATH Environment Variable exploitation in 18.4 - Insecure File Permissions
strace /usr/sbin/relayd -C /etc/shadow
strace -v -f -e execve <command> 2>&1 | grep exec
Also try ltrace
ltrace <command>
Strings extracts readable ASCII (or Unicode) strings from binary files.
strings some-binary
18.2.3 - Real, effective & saved UID/GID
An effective ID is normally equal to a real ID, however when executing a process as another user, the effective ID is set to that user's real ID. The effective ID is used in most access control decisions to verify a user and commands like whoami that use the effective ID.
Finally a saved ID is used to ensure the SUID processes can temporarily switch a user's effective ID back to their real ID and back again without losing track of the original effective ID
18.2.4 - Find specific files
Remember the 3 sets mark permissions; owner, group, others (world).
Search for SUID & SGID marked files. Usually none of these are exploitable but check for your user/group execution permissions along with the suid binary owned by root or someone else.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Search for SUID marked binaries. When set, these binaries execute with the privileges of the user. Marked by an 's' in the execute position in file permissions.
find / -perm -u=s -type f 2>/dev/null
Find all SGID binaries. When set on a file, the file executes with the privileges of the file group. On a directory, files created in the directory will ifind / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/nullnherit the group of the directory itself.
find / -type f -perm -2000 2>/dev/null
Find files of a specific extension
find / -type f -name "*.tar"
Find the file named “flag1.txt” in the current directory
find . -name flag1.txt
Find the file names “flag1.txt” in the /home directory
find / -name local.txt
Find the directory named config under “/”
find / -type d -name configfind / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Find files with the 777 permissions (files readable, writable, and executable by all users)
find / -type f -perm 0777
Find executable files
find / -perm a=x
Find all files for user “frank” under “/home”
find /home -user frank
Find files that were modified in the last 10 days
find / -mtime 10
Find files that were accessed in the last 10 day
find / -atime 10
python3 -c 'import pty;pty.spawn("/bin/bash")'
Find files changed within the last hour (60 minutes)
find / -cmin -60
Find files accesses within the last hour (60 minutes)
find / -amin -60
Find files of a specific size
find / -size 50M
Find writable commands
find / -writable -type d 2>/dev/null` : Find world-writeable folders
find / -perm -222 -type d 2>/dev/null`: Find world-writeable folders
find / -perm -o w -type d 2>/dev/null`: Find world-writeable folders
Find world-executable folders
find / -perm -o x -type d 2>/dev/null
Find dev tools and supported languages
find / -name perl*
find / -name python*
find / -name gcc*
View capabilities (these manage privs at a more granular level)
getcap -r /
18.2.5 - CRON Jobs
Check for crons
ls -lah /etc/cron*
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Make sure to check all the code that is outputted on pspy. Sometimes passwords are present in the written code, check for -p fields for easy wins. Also run pspy for twice the cron length as sometimes passwords will show the second time around due to insufficiently secured process arguments (process argument exposure).
pspy timeout 120
Follow forked processes (child processes)
./pspy64 -pf -i 1000
Check for non-traditional crons
systemctl list-timers --all
systemctl list-timers --all --no-pager --no-legend | grep -vE '(apt|fwupd|motd|logrotate|man-db|tmpfiles|e2scrub|fstrim|ua)'
sys admins sometimes leave add their own scheduled tasks in /etc/crontab. Most jobs in this particular file run as root.
cat /etc/crontab
View current user's scheduled jobs (may need sudo privileges which makes pspy more useful for this task)
crontab -l
18.2.6 - NFS Shares
Useful strategy for introducing a malicious SUID binary via a mounted NFS share.
https://tryhackme.com/room/linprivesc
cat /etc/exports
18.2.7 - Automated Enumeration
Unix privesc check can provide a baseline for privesc and is installed on Kali at /usr/bin/unix-privesc-check
./unix-privesc-check standard
./unix-privesc-check detailed
./linpeas.sh
./lse.sh
Print out everything the script gathers (prints a lot)
./lse.sh -l 0 -i
./lse.sh -l 1 -i
./lse.sh -l 2 -i
Linenum can also copy files for export and search for a specific keyword
./linenum.sh
Export results to folder export, run thorough tests with -t
./linenum.sh -k password -e export -t
Worth checking linuxprivchecker, especially .py if .sh programs are getting mid results.
./linuxprivchecker.sh
./linuxprivchecker.py
Check BeRoot
./beroot.py