id
cat /etc/passwd
hostname
cat /etc/issue
cat /etc/os-release
uname -a
ps aux
ps -A
ps axjf
watch -n 1 "ps -aux | grep pass"
cat /proc/version
ip a
ss -anp
cat /etc/iptables/rules.v4
ls -lah /etc/cron*
crontab -l
sudo crontab -l
dpkg -l
sudo tcpdump -i lo -A | grep "pass"
{% code title="Listing all world writable directories and/or files" %}
find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null
{% endcode %}
{% code title="Listing content of /etc/fstab and all mounted drives" %}
cat /etc/fstab
mount
{% endcode %}
{% code title="Listing all available drives using lsblk" %}
lsblk
{% endcode %}
joe@debian-privesc:~$ lsmod
Module Size Used by
binfmt_misc 20480 1
rfkill 28672 1
sb_edac 24576 0
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
ghash_clmulni_intel 16384 0
vmw_balloon 20480 0
...
drm 495616 5 vmwgfx,drm_kms_helper,ttm
libata 270336 2 ata_piix,ata_generic
vmw_pvscsi 28672 2
scsi_mod 249856 5 vmw_pvscsi,sd_mod,libata,sg,sr_mod
i2c_piix4 24576 0
button 20480 0
{% code title="Displaying additional information about a module" %}
/sbin/modinfo libata
{% endcode %}
{% code title="Searching for SUID files" %}
find / -perm -u=s -type f 2>/dev/null
{% endcode %}
- env ### show environmental variables
- cat /etc/passwd
- While the output can be long and a bit intimidating, it can easily be cut and converted to a useful list for brute-force attacks.
- Remember that this will return all users, some of which are system or service users that would not be very useful. Another approach could be to grep for “home” as real users will most likely have their folders under the “home” directory.
- cat /etc/fstab
- history
- ifconfig
- ip route
show listening ports
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:8000 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:2222 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 [::]:2222 [::]:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 511 *:443 *:*
netstat -a
: shows all listening ports and established connections.netstat -at
ornetstat -au
can also be used to list TCP or UDP protocols respectively.netstat -l
: list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the “t” option to list only ports that are listening using the TCP protocol (below)
netstat -s
: list network usage statistics by protocol (below) This can also be used with the-t
or-u
options to limit the output to a specific protocol.
netstat -tp
: list connections with the service name and PID information.
This can also be used with the -l
option to list listening ports (below)
We can see the “PID/Program name” column is empty as this process is owned by another user.
Below is the same command run with root privileges and reveals this information as 2641/nc (netcat)\
netstat -i
: Shows interface statistics. We see below that “eth0” and “tun0” are more active than “tun1”.
The netstat
usage you will probably see most often in blog posts, write-ups, and courses is netstat -ano
which could be broken down as follows;
-a
: Display all sockets-n
: Do not resolve names-o
: Display timers
- find command
find . -name flag1.txt
: find the file named “flag1.txt” in the current directoryfind /home -name flag1.txt
: find the file names “flag1.txt” in the /home directoryfind / -type d -name config
: find the directory named config under “/”find / -type f -perm 0777
: find files with the 777 permissions (files readable, writable, and executable by all users)find / -perm a=x
: find executable filesfind /home -user frank
: find all files for user “frank” under “/home”find / -mtime 10
: find files that were modified in the last 10 daysfind / -atime 10
: find files that were accessed in the last 10 dayfind / -cmin -60
: find files changed within the last hour (60 minutes)find / -amin -60
: find files accesses within the last hour (60 minutes)find / -size 50M
: find files with a 50 MB size
This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.
The example above returns files that are larger than 100 MB. It is important to note that the “find” command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use the “find” command with “-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner output (below).
\
Folders and files that can be written to or executed from:
find / -writable -type d 2>/dev/null
: Find world-writeable foldersfind / -perm -222 -type d 2>/dev/null
: Find world-writeable foldersfind / -perm -o w -type d 2>/dev/null
: Find world-writeable folders
The reason we see three different “find” commands that could potentially lead to the same result can be seen in the manual document. As you can see below, the perm parameter affects the way “find” works.
\
find / -perm -o x -type d 2>/dev/null
: Find world-executable folders
Find development tools and supported languages:
find / -name perl*
find / -name python*
find / -name gcc*
Find specific file permissions:
Below is a short example used to find files that have the SUID bit set. The SUID bit allows the file to run with the privilege level of the account that owns it, rather than the account which runs it. This allows for an interesting privilege escalation path,we will see in more details on task 6. The example below is given to complete the subject on the “find” command.
find / -perm -u=s -type f 2>/dev/null
: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.
root@DANTE-WEB-NIX01:~# for i in {1..255} ;do (ping -c 1 172.16.1.$i | grep "bytes from"|cut -d ' ' -f4 | tr -d ':' &);done
<rep "bytes from"|cut -d ' ' -f4 | tr -d ':' &);done
172.16.1.5
172.16.1.10
172.16.1.12
172.16.1.13
172.16.1.17
172.16.1.19
172.16.1.20
172.16.1.100
172.16.1.101
172.16.1.102
#!/bin/bash
host=10.5.5.11
for port in {1..65535}; do
timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
echo "port $port is open"
done
echo "Done"