🍫Information Gathering
Environment Enumeration
Here are some basic commands to get a better understanding of the machine ->
whoami
id
hostname
ifconfig
sudo -l
Here is the command to chech our OS ->
Next step is to check out our current user's PATH, which is where the Linux system looks every time a command is executed for any executables to match the name of what we type
We also need to check out all environment variables that are set for our current user
Next we need to check if we're running a vulnerable Kernel version
What login shells exist on the server
we can take a look at the drives and any shares on the system. If we discover and can mount an additional drive or unmounted file system, we may find sensitive files, passwords, or backups
The command lpstat
can be used to find information about any printers attached to the system.
We can try grepping for common words such as password, username, credential, etc in /etc/fstab
We can Check out the routing table by typing route
or netstat -rn
to get all the users ->
check which users have login shells ->
View mounted file systems ->
view unmounted file systems:
check all hidden files ->
All hidden directories ->
check all tmp files ->
Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.
Linux Services & Internals Enumeration
Here are some questions we can ask ourselves when enumerating:
What services and applications are installed?
What services are running?
What sockets are in use?
What users, admins, and groups exist on the system?
Who is current logged in? What users recently logged in?
What password policies, if any, are enforced on the host?
Is the host joined to an Active Directory domain?
What types of interesting information can we find in history, log, and backup files
Which files have been modified recently and how often? Are there any interesting patterns in file modification that could indicate a cron job in use that we may be able to hijack?
Current IP addressing information
Anything interesting in the
/etc/hosts
file?Are there any interesting network connections to other systems in the internal network or even outside the network?
What tools are installed on the system that we may be able to take advantage of? (Netcat, Perl, Python, Ruby, Nmap, tcpdump, gcc, etc.)
Can we access the
bash_history
file for any users and can we uncover any thing interesting from their recorded command line history such as passwords?Are any Cron jobs running on the system that we may be able to hijack?
Network Interfaces
We can start to look at the network interfaces to see if we're dual homed with the following command ->
Then we can look in the /etc/hosts file ->
Then we can check out each user's last login time to try to see when users typically log in to the system and how frequently.
It is also important to check a user's bash history, as they may be passing passwords as an argument on the command line, working with git repositories, setting up cron jobs, and more.
we can also find special history files created by scripts or programs. This can be found, among others, in scripts that monitor certain activities of users
It's also a good idea to check for any cron jobs on the system. Cron jobs on Linux systems are similar to Windows scheduled tasks.
The proc filesystem (proc
/ procfs
) is a particular filesystem in Linux that contains information about system processes, hardware, and other system information. It is the primary way to access process information and can be used to view and modify kernel settings.
If it is a slightly older Linux system, the likelihood increases that we can find installed packages that may already have at least one vulnerability. to check installed packages ->
always a classic to look at sudo version ->
Occasionally it can also happen that no direct packages are installed on the system but compiled programs in the form of binaries. Then we can hop on GTFObins to see which one we can exploit
We can use the diagnostic tool strace
on Linux-based operating systems to track and analyze system calls and signal processing. It allows us to follow the flow of a program and understand how it accesses system resources, processes signals, and receives and sends data from the operating system
we can try to read almost all configuration files on a Linux operating system if the administrator has kept them the same.
To discover scripts ->
To check if it is a script created by the administrator in his path and whose rights have not been restricted, we can run it without going into the root
directory.
Credential Hunting
When enumerating a system, it is important to note down any credentials. These may be found in configuration files (.conf
, .config
, .xml
, etc.), shell scripts, a user's bash history file, backup (.bak
) files, within database files or even in text files
The /var directory typically contains the web root for whatever web server is running on the host. The web root may contain database credentials or other types of credentials that can be leveraged to further access.
If we take for example a wordpress MYSQL db ->
The spool or mail directories, if accessible, may also contain valuable information or even credentials.
SSH Keys
Whenever finding SSH keys check the known_hosts
file to find targets. This file contains a list of public keys for all the hosts which the user has connected to in the past and may be useful for lateral movement or to find data on a remote host that can be used to perform privilege escalation on our target.
Last updated