3 - Services & Internals Enum

# Internals ## Network Interfaces ```bash ip a ``` ## Hosts ```bash cat /etc/hosts ``` ## User's Last Login ```bash lastlog who finger ``` ## Logged In Users ```bash w ``` - Important to also check a user's bash history, as they may be passing passwords as an argument on the command line, working with git repositories, setting up cron jobs, etc. ## Command History ```bash history ``` ## Finding History Files ```bash find / -type f $ -name *_hist -o -name *_history $ -exec ls -l {} \; 2>/dev/null ``` ## Cron ```bash crontab ls -la /etc/cron.daily/ ``` ## Proc - The [proc filesystem](https://man7.org/linux/man-pages/man5/proc.5.html) (`proc` / `procfs`) is a particular fs in Linux that contains information about system processes, hardware, etc. - It is virtual and does not exist as a real fs but is dynamically generated by the kernel ```bash find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n" ``` --- # Services - Out-of-date packages or SW may have vulns ## Installed Packages ```bash apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list ``` ## Sudo Version ```bash sudo -V ``` ## Binaries ```bash ls -l /bin /usr/bin/ /usr/sbin/ ``` ## GTFObins - [GTFObins](https://gtfobins.github.io) includes a list of binaries that can potentially be exploited to privesc - With the below oneliner, we can compare the existing binaries with the ones from GTFObins to see which binaries we should investigate later ```bash for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done ``` ## Trace System Calls - `strace` can be used to track and analyze system calls and signal processing - It allows us to follow the flow of a program and understand how it accesses system resources, processes signals, and receives and sends data from the OS - Below is an example using `ping` ```bash strace ping -c1 10.129.112.20 ``` ## Config Files - Users can read almost all config files dependent on perms - These configuration files can often reveal how the service is set up and configured to understand better how we can use it for our purposes - In addition, these files may contain sensitive information such as keys and paths to files inaccessible folders ```bash find / -type f $ -name *.conf -o -name *.config $ -exec ls -l {} \; 2>/dev/null ``` ## Scripts - Like config files, scripts may have contents of great import even without exec privs - The below command excludes scripts in `src`, `snap`, and `share` ```bash find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share" ``` ## Running Services by User - If we list running processes with `ps aux`, it can give us information about which scripts or binaries are in use and by which user - So, for example, if it is a script created by the admin in his path and whose rights have not been restricted, we may be able to run the script without going into the `root` directory ```bash ps aux | grep root ``` --- # Exercise - `ping` test ![[images/Pasted image 20260202153226.png]] - `nmap`scans ![[images/Pasted image 20260202153307.png]] - `ssh` into box with given creds ![[images/Pasted image 20260202153616.png]] - `htb-student:HTB_@cademy_stdnt!` - `find` config files - too much content - create list of installed packages ![[images/Pasted image 20260202153844.png]] - `cat installed_pkgs.list | grep -i python3` ![[images/Pasted image 20260202154356.png]] - `cat installed_pkgs.list | grep python3 | sort -u` - further `sort -u` to sort by unique entries in descending order ![[images/Pasted image 20260202154507.png]]