Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • More
  • Interesting dirs
  • Searching Linux
  • Linux Services
  • json obfuscated
  • Linux SUID and Privs
  • Network Checks
  • Linux Unzipping
  • Admin crons
  • Impersonate
  • sed tricks

Was this helpful?

  1. 06 Linux PrivEsc

1 Look Around

Previous06 Linux PrivEscNext2 Enums

Last updated 2 years ago

Was this helpful?

More

  • ,

Interesting dirs

/var/backup

/var/www/classes/

/home/bob/

/export

/var/logs

/tmp

/home/bob/.*history

/backups

/var/mail

/var/tmp

/anythingweird

/.ssh

/reports

/private

Searching Linux

--------------------
--------------------
Linux Version
>> lsb_release -a

--------------------
--------------------
Search for File inside Multiple Directories

> find /home -name .bash_history
/home/victim15/.bash_history

--------------------
--------------------
wildcards

find -name '*db*'
find -name '*.GIF'
find -iname '*.gif'
find -iname \*.gif


--------------------
--------------------
Search for a Keyword inside multiple files:

>> find /home -name .bashrc
>> find /home -name .bashrc -exec grep password {} \;
>> find . -name .bashrc -exec grep -H password {} \;   ..show the folder too

Find > cat > grep
>> find . -name .bashrc -exec cat {} \; | grep key
>> find /home/file.txt -exec cat {}\;


--------------------
--------------------
> find . -name .zsh_history
> cat ./victim54/.zsh_history
> find . -name .zsh_history -exec cat {} \; | grep "key"

--------------------
--------------------
Grep a directory for user/pws:

grep -Ri password .
grep -Ri 'mark\|tom\|rastating\|password' * | head
-R: — Dereference-recursive
-i: — Ignore-case
head: — Display first 10 lines


--------------------
--------------------
Unusual Home Directories
> cat /etc/passwd

--------------------
--------------------
Check every profile for history 'passwd'
> find /home -name .bash_history -exec grep -A 1 '^passwd' {} \;

--------------------
--------------------
Search for Secrets in files

strings * grep /     ..to find a single /
strings * grep '\\'  ..to find a single \
strings * -n 8
strings * -e b
strings * -e l

exiftool * | grep firewall
exiftool * | grep firewall
exiftool * | grep /
exiftool * | grep '\\'


--------------------
--------------------
locate myapp
updatedb  ..if my app wasnt in the index yet
find / -name whoami
find / -name ls    ..very slow
find / -name ls &    ..spawn (jobs bg fg1)
grep root *    ..look for word 'root' in my current directory

---------------------------------------
---------------------------------------
Watch bad login attempts:
sudo tail -f /var/log/auth.log


---------------------------------------
---------------------------------------
Search for a string with 32 Digits

grep -e '[^\ ]\{32,\}' -rl /tmp/pacman/gitdir3


---------------------------------------
---------------------------------------
cat .hidden
cat 'spaces in filename'
cat data.txt | grep millionth
more myfile
file myfile

find / -user bandit
find / -user bandit 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -name "pass" -print 2>/dev/null
find / -user bandit -type f -group bandit6 -size 33c -exec ls {} \;
find / -user bandit -group bandit6 -size 33c 2>&1 | grep -F -v Permission
find / -user bandit | grep -v "pass" 2>&1 | grep -v "Permission denied"
find / -user bandit -type f -print 2>/dev/null
find / -user bandit -type f "pass" -print 2>/dev/null

sort data.txt
sort data.txt | uniq -c  ..counter
sort data.txt | uniq -u  ..unique only

strings data.txt | sort
strings data.txt | grep "=="

Linux Services

find / -name "*httpd*" 2>/dev/null

Example:
/usr/local/sbin/nhttpd
/usr/share/man/man8/nhttpd.8
/var/nostromo/logs/nhttpd.pid
/var/nostromo/logs/.nhttpd.pid.swp
/var/nostromo/conf/nhttpd.conf

json obfuscated

  • On screen data might be obfuscated, but there are other ways to find it!

http://xyz.libcurl.so/users/1
http://xyz.libcurl.so/users/1.js
http://xyz.libcurl.so/users/1.json

Framework will give you the json verson of the page like this:
>> curl http://xyz.libcurl.so/users/1 -H 'Accept: application/json'

Linux SUID and Privs

Find all the SUID enabled binaries
What files I have Priv to use:

>> find / -perm -u=s 2>/dev/null
>> find / -perm -4000 2>/dev/null
>> find / -user root -perm -4000 -exec ls -ldb {} \;

Network Checks

--------------------
--------------------
netstat -nap                ..routing, connections, listening
netstat -alnp | grep LIST   ..see what is listening
netstat -nr                 ..Routing tables
netstat -natu               ..Linux
netstat -na                 ..Windows

lsof -i        ..open files
ps -ef         ..sometimes password here too
arp -a
ipconfig /displaydns

sudo lsof -Pni | grep ssh
ssh is listening

--------------------
--------------------
victim monitor:
netstat -ano 1 | find ":2222" ..1:update every 1 sec

Linux Unzipping

--------------------
--------------------
file backup.tbz.gz   .. to see what 'kind' it is
gunzip backup.tbz.gz
tar -xvjf backup.tbz
cpio -idv --no-absolute-filename < backup     ..copies to/from archives
strings backupxyz | more
cat backupxyz


--------------------
--------------------
tar -zxvf data.zip ... gzip
tar -jxvf data.zip ... bzip2

file data.zip ... ASCII
xxd -r data.zip hexdata .. Convert back to hexdata
gzip -d hexdata.gz .. decompress from gzip

file hexdata .. bzip2 compressed data, block size = 900k
mv hexdata hexdata.bz2 .. rename bz
bzip2 -d hexdata.bz2 .. unzipped

file hexdata .. POSIX tar archive (GNU)
tar -xvf hexdata .. data5.bin

file data8 .. ASCII text
cat data8

--------------------
--------------------
unzip data.zip    ..fails
7z e data.zip     ..7zip works

Admin crons

crontab -l
anacron
cron.daily

> cd /etc/cron.daily
> ls

Impersonate

su
su victim
Once you find a password for somebody, you can 'su' to their account
And impersonate them

sed tricks

  • Text Cleanup

  • Set every comma as a new line

> sed 's/,/\n/g' notes

REF:

WindowsCmdKungFu
LinuxEnum
WinEnum
OSINT
procmon