3 - Linux Privesc

# Bonus Enum: Webserver Pillaging - *Check web config files and source code for vulns, hard-coded creds, etc.* - For Apache (httpd), review the following locations: ```bash /etc/apache2/apache2.conf #default apache config loc /etc/apache2/sites-available/ #vhost config files /etc/apache2/sites-available/000-default.conf /var/www/html/ #default apache webroot for debian distros /var/www #base dir for webservers with multiple sites or vhosts /srv/http #default apache webroot for Arch /srv/share/httpd #default apache webroot for RHEL ``` - For Nginx, review the following locations: ```bash /etc/nginx/nginx.conf #default nginx config loc /etc/nginx/sites-available/ #vhost config files /etc/nginx/sites-enabled/default /srv/share/nginx/html/ #default nginx webroot for RHEL /var/www/html #nginx webroot for some installations ``` - Misc locations: ```bash /opt/web/ # user-specific webroots ~/www/ ~/html/ ~public_html/ ``` --- # Default Methodology ### 1. Perform basic manual enum once we have a foothold - Simple user and network checks ```bash hostname id sudo -l cat /etc/passwd | grep sh$ ip a arp -a ss -tnlp cat /etc/hosts cat /etc/resolv.conf realm list #check if host is domain joined ``` - Review bash history and home dir ```bash history cat ~/.bash_history find / -type f $ -name *_hist -o -name *_history $ -exec ls -l {} \; 2>/dev/null cat ~/.bashrc ls -al ~/.ssh/ ``` - Check OS and kernel version ```bash uname -a cat /etc/os-release ``` - Check env vars and `$PATH` ```bash echo $PATH env ``` - List processes running as root ```bash ps aux | grep root ``` - Discover other users on host ```bash who w ``` - Enumerate groups ```bash cat /etc/group #show all groups and associated users getent group sudo #query users for specific group ``` - Check for running cron jobs ```bash crontab ls -la /etc/cron.daily/ ls -la /etc/cron.d/ pspy ``` - Check for unmounted fs and additional - Also check for weak NFS privs and `no_root_squash` ```bash df -h cat /etc/fstab | grep -v "#" | column -t ``` - Find writable files and dirs ```bash find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null ``` - Find hidden files and dirs ```bash find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null find / -type d -name ".*" -ls 2>/dev/null ``` - Find all config files, scripts, and temp ```bash find / -type f $ -name *.conf -o -name *.config $ -exec ls -l {} \; 2>/dev/null find / -name *.sh 2>/dev/null | xargs cat | grep -i "string" ls -l /tmp /var/tmp /dev/shm ``` ### 2. Run automated enum scripts - linpeas - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS - linenum - https://github.com/rebootuser/LinEnum - linuxprivchecker - https://github.com/sleventyeleven/linuxprivchecker ### 3. Enumerate SUDO, SUID, SGID, and Capabilities - Check against GTFObins - If we have sudo privs over a binary that isn't in GTFObins, try the `LD_PRELOAD` exploit - See [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/20 - Shared Libs|Shared Libs]] - If a custom binary exists with SUID, try [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/21 - SO Hijacking|SO Hijacking]] ```bash sudo -l sudo -V find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; ``` ### 4. Check for unique files that are owned by current user or group - Is `/etc/shadow` writeable? ```bash find / -type f -perm /220 2>/dev/null ``` ### 5. Review current user's groups - Run `id` and look for the below [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/10 - Privileged Groups|Privileged Groups]] - Wheel - Shadow - LXD/LXC - Docker - Disk - ADM ### 6 . Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/5 - PATH Abuse|PATH Abuse]] ```bash echo $PATH env ``` ### 7 . Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/6 - Wildcard Abuse|Wildcard Abuse]] wrt cron jobs or scripts ### 8. Check for cron jobs running writeable scripts - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/13 - Cron Job Abuse|Cron Job Abuse]] ### 9. Check for vulnerable apps and services - Enumerate all services, binaries, and installed packages plus their versions - Search against `searchsploit` AND Google ```bash dpkg -l apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done ls -l /bin /usr/bin/ /usr/sbin/ ``` ### 10. Enumerate for hard-coded or cleartext creds - NOTE: Be on the look-out for unusual services - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/4 - Cred Hunting|Cred Hunting]] - Review `/opt` - Review web config files ### 11. Check python scripts for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/22 - Python Lib Hijacking|Python Lib Hijacking]] ```bash find / -name *.py -perm /222 2>/dev/null ``` ### 12. Check to see if host is dual-homed - Run `ip a` ### 13. Check for services running on internal ports - Run `ss -lntp` - Focus on dbs ### 14. Check for misc exploits - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/17 - Logrotate|Logrotate]] - [[5 - CPTS/4 - Skills Assessments/Linux Privsec/6 - screen exploit|screen exploit]] - `tmux` session hijacking ### 15. Check for recent 0-days - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/23 - sudo (recent 0-day)|sudo (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/25 - polkit (recent 0-day)|polkit (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/26 - dirty pipe (recent 0-day)|dirty pipe (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/27 - netfilter (recent 0-day)|netfilter (recent 0-day)]] ### 16. Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/19 - Kernel Exploits|Kernel Exploits]] - NOTE: Use as a last resort because this can bork the target host ### 17. Assuming target host has `tcpdump`, try to capture cleartext creds in network traffic ### 18. Attempt to brute force root with `sucrack`