14 - Linux Cred Hunting

# Introduction - To privesc efficiently, we can search for passwords or even whole credentials that we can use to log in to our target - Low-hanging fruits that can give us elevated privileges - Four categories of sources: - `Files` including configs, databases, notes, scripts, source code, cronjobs, and SSH keys - `History` including logs, and command-line history - `Memory` including cache, and in-memory processing - `Key-rings` such as browser stored credentials # Files - Categories of files to look for: - Configuration files - Databases - Notes - Scripts - Cronjobs - SSH keys ```bash #search for config files for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` ```bash #search for user+password keywords across cnf files for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done ``` ```bash #search for dbs for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done ``` ```bash #search for notes in txt format find /home/* -type f -name "*.txt" -o ! -name "*.*" ``` ```bash #search for scripts for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done ``` ```bash #enumerate cron jobs cat /etc/crontab ls -la /etc/cron.*/ ``` # History - Stored commands ```bash #enumerate history files susch as .bash_history, .bashrc, .bash_profile tail -n5 /home/*/.bash* ``` - Four categories of log files: - Application logs - Event logs - Service logs - System logs |**File**|**Description**| |---|---| |`/var/log/messages`|Generic system activity logs.| |`/var/log/syslog`|Generic system activity logs.| |`/var/log/auth.log`|(Debian) All authentication related logs.| |`/var/log/secure`|(RedHat/CentOS) All authentication related logs.| |`/var/log/boot.log`|Booting information.| |`/var/log/dmesg`|Hardware and drivers related information and logs.| |`/var/log/kern.log`|Kernel related warnings, errors and logs.| |`/var/log/faillog`|Failed login attempts.| |`/var/log/cron`|Information related to cron jobs.| |`/var/log/mail.log`|All mail server related logs.| |`/var/log/httpd`|All Apache related logs.| |`/var/log/mysqld.log`|All MySQL server related logs.| ```bash #search for interesting strings in logs for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done ``` # Memory & Cache - Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused - For example, creds stored by a web browser - `Keyrings` are used for secure storage and management of passwords on Linux distributions - Passwords are stored encrypted and protected with a master password by an OS-based password manager - Tools for retrieving stored creds: - [mimipenguin](https://github.com/huntergregal/mimipenguin) t - Lazagne ```bash #run mimipenguin sudo python3 mimipenguin.py ``` ```bash #run lazagne sudo python2.7 laZagne.py all ``` # Browser creds - Browsers store the passwords saved by the user in an encrypted form locally on the system to be reused - `Mozilla Firefox` browser stores the credentials encrypted in a hidden folder for the respective user - For example, when we store credentials for a web page in the Firefox browser, they are encrypted and stored in `logins.json` on the system ```bash #enumerate browser creds ls -l .mozilla/firefox/ | grep default drwx------ 11 cry0l1t3 cry0l1t3 4096 Jan 28 16:02 1bplpd86.default-release drwx------ 2 cry0l1t3 cry0l1t3 4096 Jan 28 13:30 lfx3lvhb.default #sift through firefox's logins.json with jq cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . ``` ```bash #run firefox decrypt python3.9 firefox_decrypt.py ``` ```bash #run lazagne browsers module python3 lazagne.py browsers ```