REDTEAM – Linux Enumeration

By : Li_in
REDTEAM Cybersecurity

L’objectif de l’énumération post-exploitation est de recueillir autant d’informations que possible sur le système compromis et son réseau. Ces informations nous permettrons par la suite de nous latéraliser sur le réseau ou d’obtenir des privilèges plus élevés .

Augmenter le shell

TTY shell
python -c "import pty; pty.spawn('/bin/bash')";
python3 -c "import pty; pty.spawn('/bin/bash')";
export TERM=xterm-256color

script /dev/null -c bash
export TERM=xterm-256color
Full Interactive

Background the process using CTRL + Z, and then type:

stty raw -echo; fg; reset 
[hit enter 2 times]
stty columns 200 rows 200
Toolbox
alias l="ls -al"; 
echo "BASE64" > base64 -d > FILE

Easy Win

LinPEAS

LinPEAS est un script qui recherche des chemins pour élever les privilèges sur les hôtes Linux/Unix*/MacOS.

GTFOBins

GTFOBins est une liste de binaires Unix qui peuvent être utilisés pour contourner les restrictions de sécurité locales dans des systèmes mal configurés.

Native SUID binaries :

apring
at
chfn
chsh
fusermount
gpasswd
mount
newgrp
newgidmap
newuidmap
ntfs-3g
openssh/ssh-keysign
passwd
ping
ping6
pkexec	
pppd
snapd/snap-confine
sudo
su
umount
/dbus-1.0/dbus-daemon-launch-helper
x86_64-linux-gnu/lxc/lxc-user-nic

Élévation de privilèges

Informations sur la machine

cat /etc/os-release; echo "//////"; head -9 /proc/cpuinfo; echo "//////"; df -a;

Informations sur la machine (advanced)

uname -a; echo "##########"; head -9 /proc/cpuinfo; echo "########## Co. users"; users; w;  echo "########## /etc/hosts"; cat /etc/hosts; echo "########## /etc/passwd"; cat /etc/passwd | grep sh;  echo "########## Processus"; ps -A;

Information sur l’utilisateur

id                   # UID / GID / Groups     
whoami               #Username
sudo -l              #Est ce que l'utilsateur peut agir en tant que root
cat /etc/sudoers     #Actions possible en tant que root (root)
history              #Historique des commandes de l'utilisateur 
cat ~/.bash_history  #Historique des commandes de l'utilisateur 
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
find / -type f -newermt <date-start> ! -newermt <date-end> -ls 2>/dev/null  # fichiers modifiés entre <date-start> et <date-end>
# find ./ -newermt "2016-01-18" ! -newermt '2016-01-19'

Information sur les utilisateurs

cat /etc/sudoers      #Actions possible en tant que root (root)
cat /etc/passwd       #Liste des utilsateurs du système 
cat /etc/group        #Liste des groupes du système 
cat /etc/shadow       #hash des utilisteurs  (root)
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     #Comptes root   

users                 #Utilisateurs connectés
who -a                #Utilisateurs connectés 
w                     #Utilisateurs connectés & tâches en cours  
last                  #Listing of last logged on users
lastlog               #Information on when all users last logged in
cat /var/mail/        #Once upon a time, people had local mailboxes.

Variables d’environnement

env                   #Affiche les variables d'env. 
set 	                #Affiche les variables d'env. 
echo $PATH            #PATH information
cat /etc/profile      #Display default system variables
cat /etc/shells       #Display available shells

Fichiers interessants

find / -perm -4000 -type f 2>/dev/null 	# Find SUID files
find / -uid 0 -perm -4000 -type f 2>/dev/null 	# Find SUID files owned by root
find / -perm -2000 -type f 2>/dev/null 	# Find GUID files
find / -perm -2 -type f 2>/dev/null 	# Find world-writeable files
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null 	# Find world-writeable files excluding those in /proc
find / -perm -2 -type d 2>/dev/null 	# Find word-writeable directories
find / -xdev -user <user> -perm -u+w 2> /dev/null  # writable file own by <user>
/usr/sbin/getcap -r / 2>/dev/null    # Find file with capabilities 

find / -name *.txt -maxdepth 3 2> /dev/null  #fichiers txt pas très loin dans l'arborescence

Jobs / Tâches planifiées :

cat /etc/crontab
crontab -l -u $USER 	Display scheduled jobs for the specified user – Privileged command

ls -la /etc/cron* 	Scheduled jobs overview (hourly, daily, monthly etc)
cat /etc/cron* ; cat /etc/cron*/*

ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null 	What can ‘others’ write in /etc/cron* directories
top 	List of current tasks

Applications :

ps aux                    # Liste des processus 
ps axjf                   # Process Tree 
pstree                    # Process Tree
dpkg -l                   # Packages installés 
rpm -qa                   # Packages installés

Latéralisation

Réseau

Rechercher des hôtes, services, ports disponibles mais accessibles uniquement sur le réseau local de la machine :

cat /etc/hosts
cat /etc/resolv.conf       # serveurs DNS 
netstat -atulpn             # Connexions TCP/UDP courantes 
sudo netstat -atulpn        # sudo nécessaire pour avoir tous les PIDs
lsof -i                    # List Open File (-i pour network)
sudo lsof -i :<port>       # Filtrer sur un port spécifique 
iptables -L                # Firewall IPtables (root)

Checklists

Kernel and distribution release details

System Information:

  • [ ] Hostname
  • [ ] Networking details:
  • [ ] Current IP
  • [ ] Default route details
  • [ ] DNS server information

User Information:

  • [ ] Current user details
  • [ ] Last logged on users
  • [ ] Shows users logged onto the host
  • [ ] List all users including uid/gid information
  • [ ] List root accounts
  • [ ] Extracts password policies and hash storage method information
  • [ ] Checks umask value
  • [ ] Checks if password hashes are stored in /etc/passwd
  • [ ] Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • [ ] Attempt to read restricted files i.e. /etc/shadow
  • [ ] List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)

Basic SSH checks

Privileged access:

  • [ ] Which users have recently used sudo
  • [ ] Determine if /etc/sudoers is accessible
  • [ ] Determine if the current user has Sudo access without a password
  • [ ] Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • [ ] Is root’s home directory accessible
  • [ ] List permissions for /home/

Environmental:

  • [ ] Display current $PATH
  • [ ] Displays env information Jobs/Tasks:
  • [ ] List all cron jobs
  • [ ] Locate all world-writable cron jobs
  • [ ] Locate cron jobs owned by other users of the system
  • [ ] List the active and inactive systemd timers

Services:

  • [ ] List network connections (TCP & UDP)
  • [ ] List running processes
  • [ ] Lookup and list process binaries and associated permissions
  • [ ] List inetd.conf/xined.conf contents and associated binary file permissions
  • [ ] List init.d binary permissions

Version Information (of the following):

  • [ ] Sudo
  • [ ] MYSQL
  • [ ] Postgres
  • [ ] Apache
  • [ ] Checks user config
  • [ ] Shows enabled modules
  • [ ] Checks for htpasswd files
  • [ ] View www directories

Default/Weak Credentials:

  • [ ] Checks for default/weak Postgres accounts
  • [ ] Checks for default/weak MYSQL accounts

Searches:

  • [ ] Locate all SUID/GUID files
  • [ ] Locate all world-writable SUID/GUID files
  • [ ] Locate all SUID/GUID files owned by root
  • [ ] Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • [ ] Locate files with POSIX capabilities
  • [ ] List all world-writable files
  • [ ] Find/list all accessible *.plan files and display contents
  • [ ] Find/list all accessible *.rhosts files and display contents
  • [ ] Show NFS server details
  • [ ] Locate *.conf and *.log files containing keyword supplied at script runtime
  • [ ] List all *.conf files located in /etc
  • [ ] Locate mail

Platform/software specific tests:

  • [ ] Checks to determine if we’re in a Docker container
  • [ ] Checks to see if the host has Docker installed
  • [ ] Checks to determine if we’re in an LXC container

Sources