3 - Linux Privesc

# Bonus Enum: Webserver Pillaging - Check web config files and source code for vulns, hard-coded creds, etc. - For Apache (httpd), review the following locs: - `/var/www/html` - default webroot for most Debian-based distros - `/var/www` - base dir for webservers with multiple sites or vhosts - `/srv/http` - default webroot for Arch - `/sr/share/httpd` - default webroot for RHEL - `/etc/apache2/sites-available/000-default.conf` - web config file - For Nginx, review the following locs: - `/srv/share/ngins/html` - default webroot for RHEL - `/var/ww/html` - common is configured like Apache - `/etc/nginx/sites-available` and `/etc/nginx/sites-enabled` - web config files - Misc locs: - `/opt/web` - `~/www` or `~/html` or `~/public_html` - user-specific webroots --- # Default Methodology 1. Perform basic manual enum once we have a foothold - Simple user and network checks ```bash hostnem id sudo -l cat /etc/passwd | grep sh$ ip a arp -a ss -tnlp cat /etc/hosts cat /etc/resolv.conf ``` - Review bash history and home dir ```bash history cat ~/.bash_history find / -type f $ -name *_hist -o -name *_history $ -exec ls -l {} \; 2>/dev/null cat ~/.bashrc ls -al ~/.ssh/ ``` - Check OS and kernel version ```bash uname -a cat /etc/os-release ``` - Check env vars and `$PATH` ```bash echo $PATH env ``` - List processes running as root ```bash ps aux | grep root ``` - Discover other users on host ```bash who w ``` - Enumerate groups ```bash cat /etc/group #show all groups and associated users getent group sudo #query users for specific group ``` - Check for running cron jobs ```bash crontab ls -la /etc/cron.daily/ pspy ``` - Check for unmounted fs and additional - Also check for weak NFS privs and `no_root_squash` ```bash df -h cat /etc/fstab | grep -v "#" | column -t ``` - Find writable files and dirs ```bash find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null ``` - Find hidden files and dirs ```bash find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null find / -type d -name ".*" -ls 2>/dev/null ``` - Find all config files, scripts, and temp ```bash find / -type f $ -name *.conf -o -name *.config $ -exec ls -l {} \; 2>/dev/null find / -name *.sh 2>/dev/null | xargs cat | grep -i "string" ls -l /tmp /var/tmp /dev/shm ``` 2. Run automated enum scripts - linpeas - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS - linenum - https://github.com/rebootuser/LinEnum - linuxprivchecker - https://github.com/sleventyeleven/linuxprivchecker 3. Enumerate for hard-coded or cleartext creds - NOTE: Be on the look-out for unusual services - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/4 - Cred Hunting|Cred Hunting]] - Review `/opt` - Review web config files 4. Enumerate SUDO, SUID, SGID, and Capabilities - Check against GTFObins - If we have sudo privs over a binary that isn't in GTFObins, try the `LD_PRELOAD` exploit - See [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/20 - Shared Libs|Shared Libs]] - If a custom binary exists with SUID, try [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/21 - SO Hijacking|SO Hijacking]] ```bash sudo -l sudo -V find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; ``` 5. Check for unique files that are owned by current user or group ```bash find / -type f -perm /220 2>/dev/null ``` 6. Review current user's groups - Run `id` and look for the below [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/10 - Privileged Groups|Privileged Groups]] - LXD/LXC - Docker - Disk - ADM 7. Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/5 - PATH Abuse|PATH Abuse]] 8. Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/6 - Wildcard Abuse|Wildcard Abuse]] wrt cron jobs or scripts 9. Check to see if host is dual-homed 10. Check for services running on internal ports - Run `ss -lntp` - Focus on dbs 11. Check for cron jobs running writeable scripts - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/13 - Cron Job Abuse|Cron Job Abuse]] 12. Check python scripts for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/22 - Python Lib Hijacking|Python Lib Hijacking]] ```bash find / -name *.py -perm /222 2>/dev/null ``` 13. Check for vulnerable apps and services - Enumerate all services, binaries, and installed packages plus their versions - Search against `searchsploit` AND Google ```bash dpkg -l apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done ls -l /bin /usr/bin/ /usr/sbin/ ``` 13. Check for misc exploits - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/17 - Logrotate|Logrotate]] - [[5 - CPTS/4 - Skills Assessments/Linux Privsec/6 - screen exploit|screen exploit]] - tmux session hijacking 14. Check for recent 0-days - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/23 - sudo (recent 0-day)|sudo (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/25 - polkit (recent 0-day)|polkit (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/26 - dirty pipe (recent 0-day)|dirty pipe (recent 0-day)]] - [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/27 - netfilter (recent 0-day)|netfilter (recent 0-day)]] 15. Check for [[5 - CPTS/3 - CPTS Notes/23 - Linux Privesc/19 - Kernel Exploits|Kernel Exploits]] - NOTE: Use as a last resort because this can bork the target host 16. Assuming target host has `tcpdump`, try to capture cleartext creds in network traffic 17. Attempt to brute force root with `sucrack`