Enumeration

OS Version

  • Knowing the distribution will give an idea of the types of tools that may be available
  • Identify the OS version, for which there may be public exploits available

Kernel Version

  • There may be public exploits that target a vulnerability in a specific kernel version

Running Services

  • A misconfigured or vulnerable service running as root can be an easy win for privilege escalation
  • Flaws have been discovered in many common services such as Nagios, Exim, Samba, ProFTPd, etc.

List current processes

neutron@kali[/kali]$ ps aux | grep root

root         1  1.3  0.1  37656  5664 ?        Ss   23:26   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S    23:26   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    23:26   0:00 [ksoftirqd/0]
<SNIP>

Installed Packages and Versions

  • Important to check for any out-of-date or vulnerable packages that may be easily leveraged for privilege escalation

Logged in Users

  • Knowing which other users are logged into the system and what they are doing can give greater into possible local lateral movement and privilege escalation paths

List current processes

neutron@kali[/kali]$ ps au

USER            PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root            1256  0.0  0.1  65832  3364 tty1     Ss   23:26   0:00 /bin/login --
cliff.moore     1322  0.0  0.1  22600  5160 tty1     S    23:26   0:00 -bash
shared          1367  0.0  0.1  22568  5116 pts/0    Ss   23:27   0:00 -bash
root            1384  0.0  0.1  52700  3812 tty1     S    23:29   0:00 sudo su
root            1385  0.0  0.1  52284  3448 tty1     S    23:29   0:00 su
root            1386  0.0  0.1  21224  3764 tty1     S+   23:29   0:00 bash
shared          1397  0.0  0.1  37364  3428 pts/0    R+   23:30   0:00 ps au

User Home Directories

  • Are other user's home directories accessible?
  • User home folders may also contain SSH keys that can be used to access other systems or scripts and configuration files containing credentials.
  • Not uncommon to find files containing credentials that can be leveraged to access other systems or even gain entry into the Active Directory environment.

Bash History

neutron@kali[/kali]$ history

    1  id
    2  cd /home/cliff.moore
    3  exit
    4  touch backup.sh
    5  tail /var/log/apache2/error.log
    6  ssh [email protected]
    7  history

Sudo Privileges

  • Can the user run any commands either as another user or as root?
  • Often sudoer entries include NOPASSWD, meaning that the user can run the specified command without being prompted for a password
  • Not uncommon to gain access as a user with full sudo privileges
  • sudo su will immediately give a root session

Sudo - List User's Privileges

neutron@kali[/kali]$ sudo -l

Matching Defaults entries for sysadm on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sysadm may run the following commands on NIX02:
    (root) NOPASSWD: /usr/sbin/tcpdump

Configuration Files

  • Can hold a wealth of information
  • Search for .conf and .config, for usernames, passwords, and other secrets

Readable Shadow File

  • If the shadow file is readable, you will be able to gather password hashes for all users who have a password set
  • These hashes can be subjected to an offline brute-force attack

Password Hashes in /etc/passwd

  • Occasionally, password hashes directly in the /etc/passwd file
  • Can be subjected to an offline password cracking attack
  • Can sometimes be seen on embedded devices and routers

Cron Jobs

  • Similar to Windows scheduled tasks
  • often set up to perform maintenance and backup tasks
  • With other misconfigurations such as relative paths or weak permissions, they can leverage to escalate privileges when the scheduled cron job runs
neutron@kali[/kali]$ ls -la /etc/cron.daily/

total 60
drwxr-xr-x  2 root root 4096 Aug 30 23:49 .
drwxr-xr-x 93 root root 4096 Aug 30 23:47 ..
-rwxr-xr-x  1 root root  376 Mar 31  2016 apport
-rwxr-xr-x  1 root root 1474 Sep 26  2017 apt-compat
-rwx--x--x  1 root root  379 Aug 30 23:49 backup
-rwxr-xr-x  1 root root  355 May 22  2012 bsdmainutils
-rwxr-xr-x  1 root root 1597 Nov 27  2015 dpkg
-rwxr-xr-x  1 root root  372 May  6  2015 logrotate
-rwxr-xr-x  1 root root 1293 Nov  6  2015 man-db
-rwxr-xr-x  1 root root  539 Jul 16  2014 mdadm
-rwxr-xr-x  1 root root  435 Nov 18  2014 mlocate
-rwxr-xr-x  1 root root  249 Nov 12  2015 passwd
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x  1 root root 3449 Feb 26  2016 popularity-contest
-rwxr-xr-x  1 root root  214 May 24  2016 update-notifier-common

Unmounted File Systems and Additional Drives

  • May find sensitive files, passwords, or backups that can be leveraged to escalate privileges
neutron@kali[/kali]$ lsblk

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   30G  0 disk 
├─sda1   8:1    0   29G  0 part /
├─sda2   8:2    0    1K  0 part 
└─sda5   8:5    0  975M  0 part [SWAP]
sr0     11:0    1  848M  0 rom

SETUID and SETGID Permissions

  • Binaries are set with these permissions to allow a user to run a command as root, without having to grand root-level access to the user
  • Many binaries contain functionality that can be exploited to get a root shell

Writeable Directories

  • Important to discover which directories are writeable if you need to download tools to the system
  • May discover a writeable directory where a cron job places files, which provides an idea of how often the cron job runs and could be used to elevate privileges if the script that the cron job runs is also writeable

Find writeable directories

neutron@kali[/kali]$ find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

/dmz-backups
/tmp
/tmp/VMwareDnD
/tmp/.XIM-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/systemd-private-8a2c51fcbad240d09578916b47b0bb17-systemd-timesyncd.service-TIecv0/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/proc
/dev/mqueue
/dev/shm
/var/tmp
/var/tmp/systemd-private-8a2c51fcbad240d09578916b47b0bb17-systemd-timesyncd.service-hm6Qdl/tmp
/var/crash
/run/lock

Writeable Files

  • Are any scripts or configuration files world-writable?
  • While altering configuration files can be extremely destructive, there may be instances where a minor modification can open up further access
  • Any scripts that are run as root using cron jobs can be modified slightly to append a command

Find Writable Files

neutron@kali[/kali]$ find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

/etc/cron.daily/backup
/dmz-backups/backup.sh
/proc
/sys/fs/cgroup/memory/init.scope/cgroup.event_control

<SNIP>

/home/backupsvc/backup.sh

<SNIP>