Enumeration

A good enumeration helps in finding the right escalation technique

After gaining access to the system, enumeration is key to know the right exploitation/privilege escalation technique.

Finding host names

Using the hostname command, we can find the host name associated with the target system.

hostname

$ hostname
wade7363

Although this value can easily be changed or have a relatively meaningless string (e.g. Ubuntu-3487340239), in some cases, it can provide information about the target system’s role within the corporate network (e.g. SQL-PROD-01 for a production SQL server).

Kernel details using uname

The uname command will print system information giving us additional detail about the kernel used by the system. This will be useful when searching for any potential kernel vulnerabilities that could lead to privilege escalation.

uname -a

Linux wade7363 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Information from the proc file system

The proc file system (procfs) provides information about the target system processes.

cat /proc/version

Linux version 3.13.0-24-generic (buildd@panlong) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014

Finding system information from /etc/issue

Systems can also be identified by looking at the /etc/issue file. This file usually contains some information about the operating system but can easily be customized or changed.

cat /etc/issue

Ubuntu 14.04 LTS \n \l

List of available shells by command-line

The /etc/shells file contains the available shells in the target.

cat /etc/shells

# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

Using the ps command

The ps command is an effective way to see the running processes on a Linux system.

ps -el       # View all running processes with all identifiers

ps -el
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
4 S     0     1     0  0  80   0 -  8411 poll_s ?        00:00:01 init
1 S     0     2     0  0  80   0 -     0 kthrea ?        00:00:00 kthreadd
1 S     0     3     2  0  80   0 -     0 smpboo ?        00:00:00 ksoftirqd/0
1 S     0     5     2  0  60 -20 -     0 worker ?        00:00:00 kworker/0:0H
1 S     0     6     2  0  80   0 -     0 worker ?        00:00:00 kworker/u30:0
1 S     0     7     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_sched

ps -A       # View all running processes

  PID TTY          TIME CMD
    1 ?        00:00:01 init
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 ksoftirqd/0
    5 ?        00:00:00 kworker/0:0H
    6 ?        00:00:00 kworker/u30:0
    7 ?        00:00:00 rcu_sched

ps axjf    # View process tree

PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
   1   914   914   914 tty2       914 Ss+      0   0:00 /sbin/getty -8 38400 tty2
    1   915   915   915 tty3       915 Ss+      0   0:00 /sbin/getty -8 38400 tty3
    1   917   917   917 ?           -1 Ssl      0   0:00 /usr/bin/amazon-ssm-agent
  917  1184  1184   917 ?           -1 Sl       0   0:00  \_ /usr/bin/ssm-agent-wrkr
    1   918   918   918 ?           -1 Ssl      0   0:00 NetworkManager
    1   920   920   920 tty6       920 Ss+      0   0:00 /sbin/getty -8 38400 tty6
    1   953   953   953 ?           -1 Ss     106   0:00 /usr/sbin/kerneloops
    1   974   974   974 ?           -1 Ss       0   0:00 /usr/sbin/sshd -D
  974  1540  1540  1540 ?           -1 Ss       0   0:00  \_ sshd: karen [priv]  
 1540  1641  1540  1540 ?           -1 R     1001   0:00      \_ sshd: karen@pts/4

The aux option will show processes for all users (a), display the user that launched the process (u), and show processes that are not attached to a terminal (x).

ps aux

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.2  33644  2800 ?        Ss   14:31   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S    14:31   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    14:31   0:00 [ksoftirqd/0]
root       918  0.0  0.7 361536  7604 ?        Ssl  14:31   0:00 NetworkManager
kernoops   953  0.0  0.0  37144  1008 ?        Ss   14:31   0:00 /usr/sbin/kerneloops
root       974  0.0  0.2  61364  3028 ?        Ss   14:31   0:00 /usr/sbin/sshd -D
whoopsie  1107  0.0  0.5 371672  5312 ?        Ssl  14:31   0:00 whoopsie

Dumping Environment variables

The env command dumps all the environment variables available in the current shell session.

env

MAIL=/var/mail/karen
USER=karen
SSH_CLIENT=10.17.30.161 38138 22
HOME=/home/karen
SSH_TTY=/dev/pts/4
QT_QPA_PLATFORMTHEME=appmenu-qt5
LOGNAME=karen
TERM=xterm-256color
XDG_SESSION_ID=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
XDG_RUNTIME_DIR=/run/user/1001
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/
SSH_CONNECTION=10.17.30.161 38138 10.10.14.143 22

The PATH variable may have a compiler or a scripting language (e.g. Python) that could be used to run code on the target system or leveraged for privilege escalation.

The sudo -l for Finding commands that the user can run with root privileges

The target system may be configured to allow users to run some (or all) commands with root privileges. The sudo -l command can be used to list all commands your user can run using sudo.

sudo -l

Matching Defaults entries for fvalkyrie on faraday:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User fvalkyrie may run the following commands on faraday:
    (ALL : ALL) ALL

Finding User Id and Group Id

The id command will provide a general overview of the user’s privilege level and group memberships. The id command can also be used to obtain the same information for another user.

id

uid=1001(karen) gid=1001(karen) groups=1001(karen)

id matt

uid=1000(matt) gid=1000(matt) groups=1000(matt),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)

Infamous /etc/passwd

The /etc/passwd can be use to dump out user information and their access levels.

cat /etc/passwd

speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
matt:x:1000:1000:matt,,,:/home/matt:/bin/bash
karen:x:1001:1001::/home/karen:
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin

This can be refined to find just the user names using:

cat /etc/passwd | cut -d ":" -f 1

saned
whoopsie
speech-dispatcher
avahi
lightdm
colord
hplip
pulse
matt
karen
sshd

Another approach is to grep for home in the results.

cat /etc/passwd | grep home

matt:x:1000:1000:matt,,,:/home/matt:/bin/bash
karen:x:1001:1001::/home/karen:

Understanding /etc/passwd format

The /etc/passwd file contains one entry per line for each user (user account) of the system. All fields are separated by a colon : symbol. Total of seven fields as follows. Generally, /etc/passwd file entry looks as follows:

 test:x:0:0:root:/root:/bin/bash

[as divided by colon (:)]

1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.

2. Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to compute the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an x.

3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.

4. Group ID (GID): The primary group ID (stored in /etc/group file)

5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.

6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes / .

7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

Find users belonging to root group

cat /etc/passwd | grep ":*:0"

root:x:0:0:root:/root:/bin/bash
user7:x:1006:0:user7,,,:/home/user7:/bin/bash
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Dumping Session history

The history command can be useful for finding secret keys and useful credentials within the shell session.

history

history
    5  sudo apt-get upgrade
    7  $ sudo add-apt-repository ppa:yannubuntu/boot-repair && sudo apt update\n$ sudo apt install -y boot-repair && boot-repair\n$ sudo reboot
    9  lscpu
   10  nvidia-smi

Confirm target as pivoting point and find adjacent machines

The target system may be a pivoting point to another network. The ifconfig command will give us information about the network interfaces of the system.

ifconfig

eth0      Link encap:Ethernet  HWaddr 02:4b:e9:0b:4c:63  
          inet addr:10.10.14.143  Bcast:10.10.255.255  Mask:255.255.0.0
          inet6 addr: fe80::4b:e9ff:fe0b:4c63/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:776 errors:0 dropped:0 overruns:0 frame:0
          TX packets:767 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:66352 (66.3 KB)  TX bytes:153955 (153.9 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:133 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9505 (9.5 KB)  TX bytes:9505 (9.5 KB)

Use the ip route command to see which network routes exist.

ip route

default via 10.10.0.1 dev eth0 
10.10.0.0/16 dev eth0  proto kernel  scope link  src 10.10.14.143 
169.254.0.0/16 dev eth0  scope link  metric 1000 

Looking into existing communications

Using the netstat command we can have information about the existing communications.

netstat -a

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      1 ip-10-10-81-154.e:37517 ubuntu-mirror-2.ps:http SYN_SEN

netstat -at     # t is for TCP. Can be used with u to show UDP connections

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN   

To find all the listening ports we can use -l which list ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the t option to list only ports that are listening using the TCP protocol.

netstat -l    # lists all listening processes

netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     10074    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     10513    /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     10073    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     11311    /run/user/112/puls

To get the network usage statistics we can use the -s flag with -t or -u

netstat -st

Tcp:
    97 active connections openings
    3 passive connection openings
    52 failed connection attempts
    0 connection resets received
    1 connections established
    538 segments received
    469 segments send out
    70 segments retransmited
    0 bad segments received.
    52 resets sent
UdpLite:
TcpExt:
    2 TCP sockets finished time wait in fast timer
    5 delayed acks sent
    Quick ack mode was activated 1 times
    17 packet headers predicted
    82 acknowledgments not containing data payload received
    142 predicted acknowledgments
    13 other TCP timeouts
    1 DSACKs sent for old packets
    TCPRcvCoalesce: 3

To know about the interface statistics, like eth0 or tun0, we can use the -i flag.

netstat -i

Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       9001 0       683      0      0 0           699      0      0      0 BMRU
lo        65536 0       125      0      0 0           125      0      0      0 LRU

The super command used by most is -ano which means -a Display all sockets -n Do not resolve names -o Display timers and -p to show the PID.

netstat -anop

Using the Find command

The find command can be used to find some fascinating files.

Find development tools or languages of help

find / -name perl*
find / -name python*
find / -name gcc*

Find a simple file in current directory

find . -name flag*.txt 2>/dev/null

Search the entire target for a file

find / -name flag*.txt 2>/dev/null

Find a directory in the target

find / -type d -name config 2>/dev/null

Find files that are readable, writable, and executable by all users

find / -type f -perm 0777 2>/dev/null

Find executables

find / -perm a=x 2>/dev/null

Find all files under /home directory for a particular user

find /home -user frank 2>/dev/null

Find files modified by time index and size

find / -mtime 10             # find files that were modified in the last 10 days
find / -atime 10             # find files that were accessed in the last 10 day
find / -cmin -60             # find files changed within the last hour (60 minutes)
find / -amin -60             # find files accesses within the last hour (60 minutes)
find / -size 50M             # find files with a 50 MB size

Find world-writable folders

find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

Find world executable folders

find / -perm -o x -type d 2>/dev/null

Find Files with SUID set

find / -perm -u=s -type f 2>/dev/null

Find all scheduled scripts using crontab

Cron jobs are typically located in the spool directories. They are stored in tables called crontabs. The cron jobs or schedules scripts can be viewed by using the crontab command.

crontab -l

But sometimes the above command may be disabled for a user.

In such situations, we can find them in /var/spool/cron/crontabs. The tables contain the cron jobs for all users, except the root user.

cat /var/spool/cron/crontabs

We can dump the contents of the /etc/crontab file which stores the root user cron job details (also known as system-wide crontabs).

cat /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5  *    * * * root    /home/user4/Desktop/autoscript.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

Check if you are in a container environment

1. Check for the /proc/1/cgroup file:

   • Run the following command:

     cat /proc/1/cgroup

   • If you see output that contains /docker/, /lxc/, or /kubepods/, it's likely that you are in a container. The exact string may vary depending on the container runtime being used (e.g., Docker, LXC, or Kubernetes).

2. Inspect the hostname:

   • Run the hostname command to check the hostname of the system.

   • Container hostnames often have a random or autogenerated name, which may indicate that you are in a container.

3. Examine the process tree:

   • Run the pstree -a command to view the process tree.

   • If the process tree looks isolated with only a few processes and lacks the typical system services, it might be a sign that you are in a container.

4. Check for container-specific environment variables:

   • Run env to list environment variables.

   • Some containers set specific environment variables (e.g., DOCKER_CONTAINER, KUBERNETES_POD_NAME, KUBERNETES_SERVICE_HOST, etc.) that can indicate containerization.

5. Look for container runtime commands:

   • Check if Docker, Podman, or another container runtime is installed and running on the system:

     docker --version
     podman --version

6. Inspect the filesystem:

   • Check the file system structure for signs of a container runtime's file layout. For example, Docker containers may have files in /var/lib/docker.

7. Examine network configuration:

   • Check the network configuration using commands like ifconfig, ip a, or docker network ls. Containers often have isolated network namespaces.

8. Check for limited access to system resources:

   • Containers are typically isolated and have limited access to system resources. You can check resource limitations using tools like ulimit or cat /proc/<PID>/cgroup.

Automatic Enumeration Scripts

• LinPEAS

LinPEAS is a part of the PEASS project (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)

chmod +x linpeas.sh       #The /tmp directory is the best choice as it doesn't restrict execution
./linpeas.sh 

• LinEnum

• LinuxExploitSuggestor2

• enum4linux

enum4linux -A <IP_ADDR>