Linux Post-Exploitation Techniques
Okay, let’s start getting more granular! In the last two posts, I detailed the following:
If you have not read through those yet, I suggest you do so as we’re going to build from this basic knowledge base.
Today, we’re going to look at the post-exploitation basics on Linux systems. Essentially, I am going to give an overview of what I do when I pop a shell on a Linux system in order to enumerate and check for privilege escalation paths. It should go without saying that if you pop a shell as root, there’s no need for this but the chances of you getting a root shell are shit so, here we go!
[hr]
Pseudo Terminal w/ Auto-Completion:
You’ve got a reverse shell of some sort. Our first job is to make it easier to get around. When you get a reverse shell, it probably doesn’t have a prompt or auto-completion. The first steps are to make the shell more accommodating to you, the attacker. I start by checking if the host has python installed, if it isn’t, you’re kind of shit out of luck for this ‘hack’.
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Check the Python Version to check if Python exists
which python
# Gives us a full Pseudo-Terminal
python -c ‘import pty; pty.spawn(“/bin/bash”);’
[/sourcecode]
We have a pseudo terminal but, no auto-completion. In order to get auto-completion, we need to put in a bit more work. Below is the simple processes to get shell auto-completion.
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Background the current shell with ctrl-z
stty raw -echo
fg
[/sourcecode]
If you are confused by any of the above and learn from seeing/doing, @IppSec uses this method in almost every video of his. Here is a clip of one of those videos detailing the process. If you want to dig more into upgrading your shells, here is a well-written guide on upgrading shell written by @ropnop
[hr]
Check for Low Hanging Fruit:
Enumerate misconfigurations and the ability to read & write to files that should be locked down! Permission enumeration of files and directories that will prove useful to us! These are things we can easily do with simple commands. Anything that gets more labor intensive shall be scripted.
- Check for sudo rights and check what you can run as sudo.
- View the permissions on /etc/passwd and /etc/shadow (Can you read, write, etc).
- See if there are any Cron Jobs that are running
- Verify permissions of the home directories
[hr]
Downloading Scripts to the Exploited Box:
A common issue for infosec noobs (I’m still a noob, no disrespect!) is how to get all the scripts/programs necessary for enumeration to the exploited machine. There are several ways of doing this, my favorite happens to be a Web Server. I’m going to show you two methods of downloading the scripts/exploits you need to the exploited machine.
- Simple HTTP Server [Python]: This is a real simple way of standing up a simple web server in any directory you want. This module comes stock when you download and install Python so there’s no need for any set-up.[sourcecode language=”bash” wraplines=”false” collapse=”false”]
# Start the Simple HTTP Server:
python -m SimpleHTTPServer [port]
[/sourcecode]- Start the Server on you Kali Machine
- Download LinEnum.sh using wget
- We can further validate that LinEnum.sh was downloaded by looking back at the SimpleHTTPServer output:
- Start the Server on you Kali Machine
- Apache2 Server: Apache is pre-installed on your Kali machine however, you can easily install it with apt-get install apache2. The big difference here is that you will have to work out of /var/www/html whereas with the SimpleHTTPServer, you can choose wherever you want.
- Start an Apache2 instance.
- Download the Script.
- Start an Apache2 instance.
[hr]
I’ll continue on from here in the second part of Linux Enumeration since this post is getting a bit long. If you have any questions/concerns or want to give some advice, feel free to leave a comment, shoot me an email, or contact me on Twitter @JFaust0. Cheers!