How to recon Linux for potential privesc

cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
lpstat -a
ps aux
ps -ef
top
cat /etc/services
ps aux | grep root
ps -ef | grep root
ls -alh /usr/bin/
ls -alh /sbin/
ls -alh /opt/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
mount

Check for configs and vulnerable plugins cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk ‘$1 ~ /^.r./ crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root

Any plain text stuff grep -ri user / grep -ri pass / grep -C 5 “password” [filename] find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password” # Joomla

Writable files ls -aRl /etc/ | awk ‘$1 ~ /^.w./’ 2>/dev/null # Anyone ls -aRl /etc/ | awk ‘$1 ~ /^..w/’ 2>/dev/null # Owner ls -aRl /etc/ | awk ‘$1 ~ /^…..w/’ 2>/dev/null # Group ls -aRl /etc/ | awk ‘$1 ~ /w.$/’ 2>/dev/null # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone
find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    #
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
find / -writable -type d 2>/dev/null      # world-writeable folders
find / -perm -222 -type d 2>/dev/null     # world-writeable folders
find / -perm -o w -type d 2>/dev/null     # world-writeable folders
find / -perm -o x -type d 2>/dev/null     # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files
  • Check log files for interesting stuff
  • check your sudo with -l and do “escaping sudo”
  • Find writable libraries called by setuid binaries

find / -type f -perm /6000 -exec ls -1 {} \; 2>/dev/null | xargs -i ldd {} | grep -oE '/[^ ]+' | sort -u | xargs ls -Ll | grep -iE '....w....|.......w.

  • Find an existing vulnerability in running services
  • Fuzz root custom code
  • Get custom root code off the system and do static analysis to find flaws

References:

http://pentestmonkey.net/tools/unix-privesc-check/ http://labs.portcullis.co.uk/application/enum4linux/ http://bastille-linux.sourceforge.net http://www.0daysecurity.com/penetration-testing/enumeration.html

Tags: PrivEsc