Enumerating and Escalating in Linux

Ahh priv escalation… The bane of many hackers experiences; but it’s a critical thing to start to get a grasp on and it’s something I try to harp on a lot. Now, I’m by no means the end-all-be-all expert here because this is a huge topic that has a lot of nuances. But one thing I constantly tell people that I’m training or just shooting the shit with is always asking the question of “what’s next?”. What’s next after you gain access? What’s next after you’ve gotten root? How far can you take this thing? In order to keep going down that tree of thought, you’re gonna need to start hitting privilege escalation to find out.

In this game, enumeration is KEY! We want to learn as much as we possibly can about the environment and it’s workings so that we can start seeing where the holes might be. After we learn what we can, we’ll start processing that data and look to see if we can find (or create) exploit code for anything we find. As always, we’ll have to try a whole bunch of things old and new, some of which will require repeatedly banging your head through the wall. Which is why I always tell folks that this kind of work is a whooooole lot of trial and error; so get ready to do plenty of google searches and be open to exploring things you’ve never touched before. Nobody is an expert in everything, so the goal here is to understand the process and then learn how to fill in the blanks for what you need.

The overall process can be boiled down to the following:

  • Collect  Enumerate, enumerate, ENUMERATE.
  • Process – Sort through, analyze, and prioritize.
  • Research – Find out more about your High-Pri items, search for exploit code, etc
    • Be ready to have to alter exploit code on the fly. Not everything works out of the box for everything you might be going after. BE FLEXIBLE!
  • Exploit – Mount your attack. Be ready for plenty of trial and error!

This post by no means covers everything that’s out there. It’s just some quick down and dirty tips to get you going both on the box and mentally thinking about things. Greetz to g0tmi1k for a lot of the content; I just tweaked a few things and took out what I didn’t want.


Enumeration

So first things first, when we get on a box we want to start exploring our environment. Where are we? Who are we? What’s going on around me?

Below are a list of commands that can be used to help enumerate the system and understand the environment.

What distro type and what version?

cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release #Debian based
cat /etc/redhat-release #Redhat based

What’s the kernel version?

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

*vmlinuz is the name of the Linux kernel executable.

List all environmental variables

printenv

*https://www.cyberciti.biz/faq/linux-list-all-environment-variables-env-command/

What about printers?

lpstat -a

*https://www.lifewire.com/lpstat-linux-command-4094053


Applications and Services

What services are running?

ps aux “Aux” is actually a combo of 3 separate switches. A shows all processes for all users, U displays the processes user/owner, and X shows processes not attached to a terminal. We can just pass all these together though, as seen in the example.
ps -ef Similar to “ps aux”, just in standard syntax vs BSD.
top Shows real-time view of the system.
cat /etc/services Read more on /etc/services here.

Important note on “ps aux” and “ps -ef”; it’s gonna throw a lot of crap at you. So since we’re looking for things running as Root, we can pipe all that output and grep for “root”, as seen below:
ps aux | grep root
ps -ef | grep root

Check what applications are installed. What version are they?? Are they currently running???

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Look at the config files for different services. Are there any settings misconfigured?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/


Networking

Basic networking info 

ifconfig -a

What NIC(s) does the system have? Do we have access to other networks (pivoting)??
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What’s cached? Any IP or MAC addresses?
arp -e
route
/sbin/route -nee

Can we sniff live traffic?
tcpdump tcp dst x.x.x.x xx and txp dst x.x.x.x xx
Note: tcpdump dst [ip] [port] and tcp dst [ip] [port]

Is tunneling possible?
ssh -d 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig


User Info and Confidential Information

Who am I? Who is logged in? Who has been logged in? Who else is there? Who can do what?

id
who
w
last
cat /etc/passwd | cut -d: -f1 # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
sudo -l

Can we access sensitive directories?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

ls the Root and Home directories (if we can) and see if there’s anything interesting.
ls -ahlR /root/
ls -ahlR /home/

*The tags for ls are case sensitive. So make sure you’re using the correct syntax. If you want further information on each one just google it or check the Man page. -ahlR however is basically just asking for “all” the info, in human readable and long list format, listing sub directories recursively. *

Are there any user credentials in a script, database, config files, or log files? 
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

*Not limited to these by any means. Just get in the mindset of looking for juicy info inside of things like conf or log files.*

What has the user been doing? Any passwords in plain text? What have they been editing?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

Can we dig up some more user info?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can we get a private-key?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

*I can’t tell you how many times I see people put their sensitive PKI files in stupid places with absolutely no thought to protecting them. It’s not unheard of to just see them sitting there on the desktop or in the users home directory. Easy win in a lot of cases if you know to look for it.*


More Logs!

Can we find anything good in /var?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

More log files…
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/


System Interaction

What programming languages are installed or supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can we upload files?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp


Starting The Exploitation Process

Finding Exploit Code

Get Further Information On An Exploit/CVE

 

*Important!* Do your homework when you start looking at exploits, ESPECIALLY if you’re getting them from a less than reputable source. The last thing you wanna do is either backdoor or brick your own machine because you didn’t bother to check out the source code for whatever it is you’re running. Long story short, don’t be stupid.

All of these are just tools to get you moving in the right direction. If you have the process in your head, then figuring out how to drive that direction is a whole lot easier. Think about your goal and then work backwards on how to get there. Stay frosty!

-DarkHorseSec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s