2 - Env Enum - JA Smith

# Intro - Once we land on a box, we need to gain contest and situational awareness - We can run helper scripts to gather info, such as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) and [LinEnum](https://github.com/rebootuser/LinEnum), but this can be a crush of info - Best to perform some initial manual enum to gain awareness - Key details - OS version - `cat `/etc/os-release` - Kernel version - `uname -a` - `cat /proc/version` - HW & Drive info - `lscpu` for cpu architecture - `lsblk` for mounted+unmounted block devices - `/etc/fstab` to check for mounted drives and unmounted drives - We may get lucky and find a password here - `lpstat` for printers attached to the box - Shells - `cat /etc/shells` to see login shells on the box - `cat /etc/passwd` to see shells for users on box - `grep "shquot; /etc/passwd` to see users with login shells - Check for outdated shells - For example, BASH ver 4.1 is vulnerable to [shellshock](https://en.wikipedia.org/wiki/Shellshock_(software_bug)) - Running services # Basic Enum Commands ## Initial Context - `whomai` - `id` - `hostname` - `ip a` - `sudo -l` - `ps aux` ## PATH & Env Vars - Check out our current user's PATH - This includes locations where the Linux system looks every time a command is executed for any executables to match the name of what we type - If the PATH variable for a target user is misconfigured ,we may be able to use that as a privesc vector ```bash cat $PATH ``` ![[images/Pasted image 20260202101813.png]] - Check out all env vars that are set for our current user - Here, we may get lucky and find something sensitive like a password ```bash env ``` ![[images/Pasted image 20260202101840.png]] ## Networking Info - Inspect the routing table - `route` - shows other networks available via the various interfaces - `netstat -rn` - Inspect DNS info - `cat /etc/resolv.conf` - Inspect the ARP table - `arp -a` ## Users & Groups - Gather info about users that exist on the target box - Individual users are often configured during the installation of applications and services to limit the service's privs - Inspect `/etc/passwd` - Breakdown of fields within this file 1. Username 2. Password 3. User ID (UID) 4. Group ID (GID) 5. User ID info 6. Home directory 7. Shell - Create a list of users - `cat /etc/password | cut -f1 -d:` - Inspect `/etc/shadow` - Includes hashed passwords for users on the box - Key for hash types within this file |**Algorithm**|**Hash**| |---|---| |Salted MD5|`$1

...| |SHA-256|`$5

...| |SHA-512|`$6

...| |BCrypt|`$2a

...| |Scrypt|`$7

...| |Argon2|`$argon2i

...| - Inspect `/etc/groups` - Shows all groups on box - List members of interesting groups ```bash getent group sudo ``` ## Home and History - Check sub-directories under `/home` - Check `.bash_history` for interesting commands - Check `.ssh` for keys and other info ## Hidden Files and Dirs - Sniff out hidden files for a target user ```bash find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep htb-student ``` - Find all hidden dirs ```bash find / -type d -name ".*" -ls 2>/dev/null ``` ### Hidden Scripts - Find all BASH scipts with `.sh` extension, then `cat` using `xargs` and `grep` for a target string ```bash find / -name *.sh 2>/dev/null | xargs cat | grep -i "string" ``` ## Temp Files - Both `/tmp` and `/var/tmp` are used to temporarily storeinfo - However, the key difference is how long the data is stored in these file systems - By default, all files and data stored in `/var/tmp` are retained for up to 30 days - With `/tmp`, data is automatically deleted after ten days and upon restart ```bash ls -l /tmp /var/tmp /dev/shm ``` ## Mounted & Unmounted File Systems - Run `df -h` to view mounted file systems - Run below command again `/etc/fstab` to view unmounted file systems ```bash cat /etc/fstab | grep -v "#" | column -t ``` # Defenses - Enum defenses (if any) - Some defensive apps tonote, include: - [Exec Shield](https://en.wikipedia.org/wiki/Exec_Shield) - [iptables](https://linux.die.net/man/8/iptables) - [AppArmor](https://apparmor.net/) - [SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux) - [Fail2ban](https://github.com/fail2ban/fail2ban) - [Snort](https://www.snort.org/faq/what-is-snort) - [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall) # Exercise ## Initial Enum - `ping` test ![[images/Pasted image 20260202103405.png]]` - `nmap` scans![[images/Pasted image 20260202103420.png]]![[images/Pasted image 20260202103445.png]] - `ssh` into box with given creds ![[images/Pasted image 20260202103558.png]] ## Local Enum - Initial enum for context![[images/Pasted image 20260202103709.png]] - `sudo -l` ![[images/Pasted image 20260202103856.png]] - `$PATH` and `env` ![[images/Pasted image 20260202104059.png]] - `find` hidden files for `htb-student` - nothing - `find` hidden dirs ![[images/Pasted image 20260202104329.png]] - look for unmounted fs in `/etc/fstab` - standard ![[images/Pasted image 20260202104554.png]] - list out temp files - nothing![[images/Pasted image 20260202104809.png]] - look for files belonging to user - lots of files > next time, filter our proc and sys ```bash find / -type f -name "*" -exec ls -l {} \; 2>/dev/null | grep htb-student ``` - `find` all BASH scripts, then `cat` using `xargs` them and `grep` for `htb` ```shell find / -name *.sh 2>/dev/null | xargs cat | grep -i "htb" ```