https://old.frang4.tech/tags/privilege-escalation/ Recent content in Privilege Escalation on Hugo en-us Wed, 07 May 2025 03:38:50 -0300 https://old.frang4.tech/posts/cpts/linux-privilege-escalation/ Wed, 07 May 2025 03:38:50 -0300 https://old.frang4.tech/posts/cpts/linux-privilege-escalation/ <p>This post explains the process of enumerating a linux system in order to find paths to escalate privileges.</p> <h2 id="overiview">Overiview</h2> <h3 id="automated-tools">Automated tools</h3> <ul> <li><a href="https://github.com/rebootuser/LinEnum" target="_blank">LinEnum</a></li> <li><a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS" target="_blank">linPEAS</a></li> </ul> <h3 id="manual---general-things">Manual - General things</h3> <p>These are the general things we will be enumerating in the process below</p> <h4 id="os">OS</h4> <ul> <li>OS Version</li> <li>Kernel Version</li> </ul> <h4 id="services">Services</h4> <ul> <li>Running Services: <code>ps aux | grep root</code></li> <li>Installed Packages and Versions</li> </ul> <h4 id="user">User</h4> <ul> <li><code>whoami</code>, <code>id</code>, <code>hostname</code></li> <li>User Home Directories</li> <li>Sudo Privileges: <code>sudo -l</code></li> </ul> <h4 id="files--directories">Files &amp; Directories</h4> <ul> <li>Configuration files: <code>.conf</code> &amp; <code>.config</code></li> <li>Readable Shadow File</li> <li>Password Hashes in <code>/etc/passwd</code> (more common on embedded devices and routers)</li> <li>Writeable Directories</li> <li>Writeable Files</li> <li>SETUID and SETGID Permissions</li> </ul> <h4 id="cron-jobs">Cron Jobs</h4> <ul> <li>Under: <code>/etc/cron*</code></li> </ul> <h4 id="file-systems">File Systems</h4> <ul> <li>Unmounted File System and Aditional Drivers</li> <li>File Systems &amp; Additional Drives</li> </ul> <h2 id="process-of-enumeration">Process of enumeration</h2> <h3 id="1-gaining-situational-awareness">1. Gaining Situational Awareness</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>whoami </span></span><span style="display:flex;"><span>id </span></span><span style="display:flex;"><span>hostname </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat /etc/os-release </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>echo $PATH </span></span><span style="display:flex;"><span>env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uname -a </span></span><span style="display:flex;"><span>lscpu </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat /etc/shells </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>lsblk <span style="color:#75715e"># block devices</span> </span></span><span style="display:flex;"><span>lpstat <span style="color:#75715e"># printers</span> </span></span><span style="display:flex;"><span>cat /etc/fstab </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># network information</span> </span></span><span style="display:flex;"><span>route </span></span><span style="display:flex;"><span>arp -a </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat /etc/passwd </span></span><span style="display:flex;"><span>cat /etc/passwd | cut -f1 -d: <span style="color:#75715e"># usernames</span> </span></span><span style="display:flex;"><span>grep <span style="color:#e6db74">&#34;*</span>$<span style="color:#e6db74">&#34;</span> /etc/passwd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat /etc/group </span></span><span style="display:flex;"><span>getent group sudo </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ls /home </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># file systems</span> </span></span><span style="display:flex;"><span>df -h </span></span><span style="display:flex;"><span><span style="color:#75715e"># unmounted fs</span> </span></span><span style="display:flex;"><span>cat /etc/fstab | grep -v <span style="color:#e6db74">&#34;#&#34;</span> | column -t </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># hidden files for $USER</span> </span></span><span style="display:flex;"><span>find / -type f -name <span style="color:#e6db74">&#34;.*&#34;</span> -exec ls -l <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null | grep $USER </span></span><span style="display:flex;"><span><span style="color:#75715e"># setuid files</span> </span></span><span style="display:flex;"><span>find / -perm -4000 -exec ls -ldb <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null </span></span><span style="display:flex;"><span>find / -perm -4000 -type f -exec ls -l <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null </span></span><span style="display:flex;"><span><span style="color:#75715e"># setgid files</span> </span></span><span style="display:flex;"><span>find / -uid <span style="color:#ae81ff">0</span> -perm -6000 -type f 2&gt;/dev/null </span></span><span style="display:flex;"><span><span style="color:#75715e"># hidden directories</span> </span></span><span style="display:flex;"><span>find / -type d -name <span style="color:#e6db74">&#34;.*&#34;</span> -ls 2&gt;/dev/null </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ls /var/tmp <span style="color:#75715e"># data retained 30 days</span> </span></span><span style="display:flex;"><span>ls /tmp <span style="color:#75715e"># data retained 10 days or until system reboot</span> </span></span></code></pre></div><h3 id="2-linux-services--internals-enumeration">2. Linux Services &amp; Internals Enumeration</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ip a </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat /etc/hosts </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>lastlog <span style="color:#75715e"># users&#39;s last login command</span> </span></span><span style="display:flex;"><span>who <span style="color:#75715e"># check who&#39;s logged in</span> </span></span><span style="display:flex;"><span>finger </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>history </span></span><span style="display:flex;"><span>find / -type f <span style="color:#ae81ff">\(</span> -name *_hist -o -name *_history <span style="color:#ae81ff">\)</span> -exec ls -l <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null </span></span><span style="display:flex;"><span><span style="color:#75715e"># finding history files</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Cronjobs</span> </span></span><span style="display:flex;"><span>ls -la /etc/cron.*/ </span></span><span style="display:flex;"><span>cat /etc/crontab </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># writeable files (check for cronjob abuse)</span> </span></span><span style="display:flex;"><span>find / -path /proc -prune -o -type f -perm -o+w 2&gt;/dev/null </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># proc filesystem is a virtual fs that contains info about system processes, hw, system info</span> </span></span><span style="display:flex;"><span>find /proc -name cmdline -exec cat <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null | tr <span style="color:#e6db74">&#34; &#34;</span> <span style="color:#e6db74">&#34;\n&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>apt list --installed | tr <span style="color:#e6db74">&#34;/&#34;</span> <span style="color:#e6db74">&#34; &#34;</span> | cut -d<span style="color:#e6db74">&#34; &#34;</span> -f1,3 | sed <span style="color:#e6db74">&#39;s/[0-9]://g&#39;</span> | tee -a installed_pkgs.list <span style="color:#75715e"># list of installed packages</span> </span></span><span style="display:flex;"><span>sudo -V <span style="color:#75715e"># sudo version</span> </span></span><span style="display:flex;"><span>ls -l /bin /usr/bin/ /usr/sbin/ <span style="color:#75715e"># list of binaries</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># compare available binaries against GTFO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i in <span style="color:#66d9ef">$(</span>curl -s https://gtfobins.github.io/ | html2text | cut -d<span style="color:#e6db74">&#34; &#34;</span> -f1 | sed <span style="color:#960050;background-color:#1e0010">&#39;</span>/^<span style="color:#f92672">[[</span>:space:<span style="color:#f92672">]]</span>*$/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># analyze system calls and signal processing</span> </span></span><span style="display:flex;"><span>strace ping -c1 IP </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>find / -type f <span style="color:#ae81ff">\(</span> -name *.conf -o -name *.config <span style="color:#ae81ff">\)</span> -exec ls -l <span style="color:#f92672">{}</span> <span style="color:#ae81ff">\;</span> 2&gt;/dev/null <span style="color:#75715e"># configuration files</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scripts</span> </span></span><span style="display:flex;"><span>find / -type f -name <span style="color:#e6db74">&#34;*.sh&#34;</span> 2&gt;/dev/null | grep -v <span style="color:#e6db74">&#34;src\|snap\|share&#34;</span> </span></span><span style="display:flex;"><span>ps aux | grep root </span></span><span style="display:flex;"><span><span style="color:#75715e"># running services by user</span> </span></span></code></pre></div><h3 id="3-credential-hunting">3. Credential Hunting</h3> <p>See <a href="https://old.frang4.tech/posts/cpts/linux-credential-hunting/">Credential Hunting Linux</a></p> https://old.frang4.tech/posts/cpts/linux-credential-hunting/ Tue, 06 May 2025 03:38:50 -0300 https://old.frang4.tech/posts/cpts/linux-credential-hunting/ <h2 id="configuration-files"><strong>Configuration Files</strong></h2> <p>find all possible configuration files on the system</p> <p><code>for l in $(echo &quot;.conf .config .cnf&quot;);do echo -e &quot;\nFile extension: &quot; $l; find / -name &quot;*$l&quot; **2**&gt;/dev/null | grep -v &quot;lib\|fonts\|share\|core&quot; ;done</code></p> <p>run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.</p> <p><code>for i in $(find / -name &quot;*.cnf&quot; **2**&gt;/dev/null | grep -v &quot;doc\|lib&quot;);do echo -e &quot;\nFile: &quot; $i; grep &quot;user\|password\|pass&quot; $i **2**&gt;/dev/null | grep -v &quot;\#&quot;;done</code></p>