# Environment Enum ## Basic commands * `whoami` - what user are we running as * `id` - what groups does our user belong to? * `hostname` - what is the server named. can we gather anything from the naming convention? * `ifconfig` or `ip -a` - what subnet did we land in, does the host have additional NICs in other subnets? * `sudo -l` - can our user run anything with sudo (as another user as root) without needing a password? This can sometimes be the easiest win and we can do something like `sudo su` and drop right into a root shell. ## Tools {% content-ref url="/pages/QFBTeCKy8hd2INFyN6nZ" %} [Tools](/0xss0rz/pentest/privilege-escalation/linux/tools.md) {% endcontent-ref %} ## Operating System and Version ```shell-session cat /etc/os-release NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ``` ## Current user's PATH ```shell-session echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin ``` {% content-ref url="/pages/zmoRzFkmYBFpWKfkS1ZC" %} [Path Abuse](/0xss0rz/pentest/privilege-escalation/linux/path-abuse.md) {% endcontent-ref %} ## Environment variables {% hint style="info" %} Look for password {% endhint %} ```shell-session env SHELL=/bin/bash PWD=/home/htb-student LOGNAME=htb-student XDG_SESSION_TYPE=tty MOTD_SHOWN=pam HOME=/home/htb-student LANG=en_US.UTF-8 ``` ## Kernel version ``` cat /proc/version ``` ```shell-session uname -a Linux nixlpe02 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` {% content-ref url="/pages/O6u15xQXe7Ux6UK4Rkrh" %} [Kernel Exploits](/0xss0rz/pentest/privilege-escalation/linux/kernel-exploits.md) {% endcontent-ref %} ## CPU type/version ```shell-session lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 43 bits physical, 48 bits virtual CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 2 Socket(s): 1 NUMA node(s): 1 Vendor ID: AuthenticAMD CPU family: 23 Model: 49 Model name: AMD EPYC 7302P 16-Core Processor Stepping: 0 CPU MHz: 2994.375 BogoMIPS: 5988.75 Hypervisor vendor: VMware ``` ## Shell availables ```shell-session cat /etc/shells # /etc/shells: valid login shells /bin/sh /bin/bash /usr/bin/bash /bin/rbash /usr/bin/rbash /bin/dash /usr/bin/dash /usr/bin/tmux /usr/bin/screen ``` ## Defense in place Some things to look for include: * [Exec Shield](https://en.wikipedia.org/wiki/Exec_Shield) * [iptables](https://linux.die.net/man/8/iptables) * [AppArmor](https://apparmor.net/) * [SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux) * [Fail2ban](https://github.com/fail2ban/fail2ban) * [Snort](https://www.snort.org/faq/what-is-snort) * [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall) ## Drives and shares ```shell-session lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 55M 1 loop /snap/core18/1705 loop1 7:1 0 69M 1 loop /snap/lxd/14804 loop2 7:2 0 47M 1 loop /snap/snapd/16292 loop3 7:3 0 103M 1 loop /snap/lxd/23339 loop4 7:4 0 62M 1 loop /snap/core20/1587 loop5 7:5 0 55.6M 1 loop /snap/core18/2538 sda 8:0 0 20G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 1G 0 part /boot └─sda3 8:3 0 19G 0 part └─ubuntu--vg-ubuntu--lv 253:0 0 18G 0 lvm / sr0 11:0 1 908M 0 rom ``` ### Printers attached ``` lpstat ``` ### Mounted drives ```shell-session cat /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # # / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation /dev/disk/by-id/dm-uuid-LVM-BdLsBLE4CvzJUgtkugkof4S0dZG7gWR8HCNOlRdLWoXVOba2tYUMzHfFQAP9ajul / ext4 defaults 0 0 # /boot was on /dev/sda2 during curtin installation /dev/disk/by-uuid/20b1770d-a233-4780-900e-7c99bc974346 /boot ext4 defaults 0 0 ``` ## Routing tables `route` or `netstat -rn` ```shell-session route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 0 0 0 ens192 10.129.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ens192 ``` ## Internal DNS `/etc/resolv.conf` ## ARP Table ```shell-session arp -a _gateway (10.129.0.1) at 00:50:56:b9:b9:fc [ether] on ens192 ``` ## **Existing Users** ``` cat /etc/passwd ``` {% hint style="info" %} Occasionally, we will see password hashes directly in the `/etc/passwd` file. {% endhint %} {% content-ref url="/pages/5HMI5x51XIr5GBqw1pWM" %} [Hashes](/0xss0rz/pentest/cracking/hashes.md) {% endcontent-ref %} {% content-ref url="/pages/MSoJcmvI1VqZPjZ57oEy" %} [/etc/passwd & /etc/shadow](/0xss0rz/pentest/privilege-escalation/linux/etc-passwd-and-etc-shadow.md) {% endcontent-ref %} {% hint style="info" %} Outdated versions, such as Bash version 4.1, are vulnerable to a `shellshock` exploit. {% endhint %} ```shell-session grep "*sh$" /etc/passwd root:x:0:0:root:/root:/bin/bash mrb3n:x:1000:1000:mrb3n:/home/mrb3n:/bin/bash bjones:x:1001:1001::/home/bjones:/bin/sh administrator.ilfreight:x:1002:1002::/home/administrator.ilfreight:/bin/sh backupsvc:x:1003:1003::/home/backupsvc:/bin/sh cliff.moore:x:1004:1004::/home/cliff.moore:/bin/bash logger:x:1005:1005::/home/logger:/bin/sh shared:x:1006:1006::/home/shared:/bin/sh stacey.jenkins:x:1007:1007::/home/stacey.jenkins:/bin/bash htb-student:x:1008:1008::/home/htb-student:/bin/bash ``` ## **Existing Groups** ```shell-session cat /etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog,htb-student tty:x:5:syslog disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:htb-student floppy:x:25: tape:x:26: sudo:x:27:mrb3n,htb-student audio:x:29:pulse dip:x:30:htb-student www-data:x:33: ...SNIP... ``` ### Members of interesting group ```shell-session getent group sudo sudo:x:27:mrb3n ``` ## Home ```shell-session ls /home ``` Look for .bash\_history, ssk keys, config files, etc. {% content-ref url="/pages/M8xfb0EXOCusqyJ270XP" %} [Credentials Hunting](/0xss0rz/pentest/privilege-escalation/linux/credentials-hunting.md) {% endcontent-ref %} ## **Mounted File Systems** ```shell-session df -h Filesystem Size Used Avail Use% Mounted on udev 1,9G 0 1,9G 0% /dev tmpfs 389M 1,8M 388M 1% /run /dev/sda5 20G 7,9G 11G 44% / tmpfs 1,9G 0 1,9G 0% /dev/shm tmpfs 5,0M 4,0K 5,0M 1% /run/lock tmpfs 1,9G 0 1,9G 0% /sys/fs/cgroup /dev/loop0 128K 128K 0 100% /snap/bare/5 /dev/loop1 62M 62M 0 100% /snap/core20/1611 /dev/loop2 92M 92M 0 100% /snap/gtk-common-themes/1535 /dev/loop4 55M 55M 0 100% /snap/snap-store/558 /dev/loop3 347M 347M 0 100% /snap/gnome-3-38-2004/115 /dev/loop5 47M 47M 0 100% /snap/snapd/16292 /dev/sda1 511M 4,0K 511M 1% /boot/efi tmpfs 389M 24K 389M 1% /run/user/1000 /dev/sr0 3,6G 3,6G 0 100% /media/htb-student/Ubuntu 20.04.5 LTS amd64 /dev/loop6 50M 50M 0 100% /snap/snapd/17576 /dev/loop7 64M 64M 0 100% /snap/core20/1695 /dev/loop8 46M 46M 0 100% /snap/snap-store/599 /dev/loop9 347M 347M 0 100% /snap/gnome-3-38-2004/119 ``` ## **Unmounted File Systems** ```shell-session cat /etc/fstab | grep -v "#" | column -t UUID=5bf16727-fcdf-4205-906c-0620aa4a058f / ext4 errors=remount-ro 0 1 UUID=BE56-AAE0 /boot/efi vfat umask=0077 0 1 /swapfile none swap sw 0 0 ``` ## **All Hidden Files** ```shell-session find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep htb-student -rw-r--r-- 1 htb-student htb-student 3771 Nov 27 11:16 /home/htb-student/.bashrc -rw-rw-r-- 1 htb-student htb-student 180 Nov 27 11:36 /home/htb-student/.wget-hsts -rw------- 1 htb-student htb-student 387 Nov 27 14:02 /home/htb-student/.bash_history -rw-r--r-- 1 htb-student htb-student 807 Nov 27 11:16 /home/htb-student/.profile -rw-r--r-- 1 htb-student htb-student 0 Nov 27 11:31 /home/htb-student/.sudo_as_admin_successful -rw-r--r-- 1 htb-student htb-student 220 Nov 27 11:16 /home/htb-student/.bash_logout -rw-rw-r-- 1 htb-student htb-student 162 Nov 28 13:26 /home/htb-student/.notes ``` ## **All Hidden Directories** ```shell-session find / -type d -name ".*" -ls 2>/dev/null 684822 4 drwx------ 3 htb-student htb-student 4096 Nov 28 12:32 /home/htb-student/.gnupg 790793 4 drwx------ 2 htb-student htb-student 4096 Okt 27 11:31 /home/htb-student/.ssh 684804 4 drwx------ 10 htb-student htb-student 4096 Okt 27 11:30 /home/htb-student/.cache 790827 4 drwxrwxr-x 8 htb-student htb-student 4096 Okt 27 11:32 /home/htb-student/CVE-2021-3156/.git 684796 4 drwx------ 10 htb-student htb-student 4096 Okt 27 11:30 /home/htb-student/.config 655426 4 drwxr-xr-x 3 htb-student htb-student 4096 Okt 27 11:19 /home/htb-student/.local 524808 4 drwxr-xr-x 7 gdm gdm 4096 Okt 27 11:19 /var/lib/gdm3/.cache 544027 4 drwxr-xr-x 7 gdm gdm 4096 Okt 27 11:19 /var/lib/gdm3/.config 544028 4 drwxr-xr-x 3 gdm gdm 4096 Aug 31 08:54 /var/lib/gdm3/.local 524938 4 drwx------ 2 colord colord 4096 Okt 27 11:19 /var/lib/colord/.cache 1408 2 dr-xr-xr-x 1 htb-student htb-student 2048 Aug 31 09:17 /media/htb-student/Ubuntu\ 20.04.5\ LTS\ amd64/.disk 280101 4 drwxrwxrwt 2 root root 4096 Nov 28 12:31 /tmp/.font-unix 262364 4 drwxrwxrwt 2 root root 4096 Nov 28 12:32 /tmp/.ICE-unix 262362 4 drwxrwxrwt 2 root root 4096 Nov 28 12:32 /tmp/.X11-unix 280103 4 drwxrwxrwt 2 root root 4096 Nov 28 12:31 /tmp/.Test-unix 262830 4 drwxrwxrwt 2 root root 4096 Nov 28 12:31 /tmp/.XIM-unix 661820 4 drwxr-xr-x 5 root root 4096 Aug 31 08:55 /usr/lib/modules/5.15.0-46-generic/vdso/.build-id 666709 4 drwxr-xr-x 5 root root 4096 Okt 27 11:18 /usr/lib/modules/5.15.0-52-generic/vdso/.build-id 657527 4 drwxr-xr-x 170 root root 4096 Aug 31 08:55 /usr/lib/debug/.build-id ``` ## **Temporary Files** ```shell-session ls -l /tmp /var/tmp /dev/shm ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/environment-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.