Linux

Enumeration

Tool	Details
LinPEAS	DOWNLOAD. In Metasploit.
LinEnum	./LinEnum.sh -e <OUTPUT_FILE>
Lynis	Security auditing tool for Linux, macOS and UNIX-based systems. Test security defenses. ./lynis audit system

Functionality

GTFOBins shows how to exploit SUID, Capabilities, and SUDO vulnerabilities on known programs.

GTFOBins

SUDO

The sudo utility (Superuser-Do) can be used to run a command with elevated privileges. Must be a member of the sudo group.

sudo -V   # if vulnerable version

sudo -l

See NOPASSWD entries. Also remember abuse of relative paths and Wildcard.

SUID Program

Programs with the SUID flag will run with owner privileges. Analyze these programs.

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

SGID Program

Programs with the SGID flag run binaries as if we were part of the group that created them. Analyze these programs.

find / -perm -g=s -type f 2>/dev/null

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Capabilities

Capabilities are additional attributes that can be applied to processes, binaries, and services to assign specific privileges (ex., administrative). Analyze the presence of misconfigurations.

/usr/sbin/getcap -r / 2>/dev/null

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

Groups

If the user is part of some privileged groups then he can perform privileged and particularly harmful actions.

id # see groups

• Docker

• LXD / LXC

• disk

• adm

Programms

See versions of various executable programs to check for Privilege Escalation exploits. See CVE section.

Process

Cron Jobs

Look through the Cron Jobs if they are called editable files to be exploited.

ls -lah /etc/cron* 

crontab -l

Also remember abuse via Wildcard.

pspy

Command-line tool designed to snoop around linux processes without needing root permissions. It allows you to see commands executed by other users, cron jobs, etc. while they are running.

./pspy32  
./pspy32s # short version

./pspy64  
./pspy64s # short version

File

Documents

Search for sensitive information in different files, such as system password files, files in the home profile, text files saved on Desktop/Documents, temporary files, etc.

# See if readable and writable
cat /etc/passwd
cat /etc/shadow
cat /etc/security/opasswd

Note: In /etc/passwd and /etc/shadow you can remove the x or insert instead the output of: openssl passwd <PASS>. Or you can add <USER> ALL=(ALL:ALL) ALL | <USER> ALL=(ALL) NOPASSWD: ALL in /etc/sudoers.

cat ~/.bashrc
cat ~/.bash_profile

ls /tmp
ls /var/tmp
ls /dev/shm

SSH keys

Look for ssh keys which may also be located elsewhere in the file system.

ls ~/.ssh
# check known_hosts to find out key targets

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

grep -rnw "ssh-rsa" /* 2>/dev/null | grep ":1"

Config

Search for sensitive information in configuration files.

for l in $(echo ".conf .config .cnf");do echo -e "\n-->" $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ; done

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null | grep -v "lib\|fonts\|share\|core

Backup

Check if there are any backup files that may contain sensitive information.

find / -name ‘*.bak’ 2>/dev/null

Script

Also check the bash scripts.

find / -name *.sh 2>/dev/null | grep -v "doc\|lib\|headers\|share\|src\|snap";

Writable Files and Directories

Check if there are any interesting writable files and folders.

find / -path /proc -prune -o -type [f/d] -perm -o+w 2>/dev/null

find / -writable -type [f/d] 2>/dev/null

Hidden Files and Directories

Check if there are any interesting hidden files and folders with sensitive information.

find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep <USER>

find / -type d -name ".*" -ls 2>/dev/null

Password

Tool	Details
LaZagne	It searches for passwords. laZagne.py all
mimipenguin	A tool to download the current Linux user's login password.

Browser

Tool	Details
HackBrowserData	Extract sensitive data, including passwords, from browsers. ./hack-browser-data[.exe] (check the results directory)

Various

History

Search the command history.

cat ~/.*history

history

find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Variables

Check environment variables for sensitive information such as passwords or misconfiguration.

env

echo $PATH

Library

For ELFs see if you can manipulate the LD_PRELOAD variable or the RUNPATH setting of the binaries. In Python see if you can manipulate the PYTHONPATH variable or if there are writable directories in the module import.

• LD_PRELOAD

• RUNPATH

• PYTHONPATH

Passive Traffic

Tool	Details
PCredz	Capture sensitive information from live network traffic, with tcpdump

Restricted Shells

Certain users may be assigned shells with limited functionality, such as rbash, rksh, rzsh

Check executable commands and look for them in GTFOBins

compgen -c

Also try

• Command injection with `

• Command Chaining with ; & |

• Variable changes (export -p)

• Shell functions

Kernel

Exploit Kernel Level. Depends on Kernel Version and Operating System. Better to compile the exploit on the target if it has gcc. May cause crashes!

Tool	Details
Linux-Exploit-Suggester	It allows you to detect kernel-level security weaknesses.

See Linux-CVE section.