We covered Linux enumeration to identify possible weaknesses vulnerabilities in order to achieve privilege escalation. This was part of TryHackMe Linux: Local Enumeration.

Get OSCP Notes

Execute uname -a to print out all information about the system.
This simple box enumeration allows you to get initial information about the box, such as distro type and version. From this point you can easily look for known exploits and vulnerabilities.
> Next in our list are auto-generated bash files.
Bash keeps tracks of our actions by putting plaintext used commands into a history file. (~/.bash_history)
If you happen to have a reading permission on this file, you can easily enumerate system user’s action and retrieve some sensitive infrmation. One of those would be plaintext passwords or privilege escalation methods.
.bash_profile and .bashrc are files containing shell commands that are run when Bash is invoked. These files can contain some interesting start up setting that can potentially reveal us some infromation. For example a bash alias can be pointed towards an important file or process.
> Next thing that you want to check is the sudo version.
Sudo command is one of the most common targets in the privilage escalation. Its version can help you identify known exploits and vulnerabilities. Execute sudo -V to retrieve the version.
For example, sudo versions < 1.8.28 are vulnerable to CVE-2019-14287, which is a vulnerability that allows to gain root access with 1 simple command.
> Last part of basic enumeration comes down to using our sudo rights.
Users can be assigned to use sudo via /etc/sudoers file. It’s a fully customazible file that can either limit or open access to a wider range of permissions. Run sudo -l to check if a user on the box is allowed to use sudo with any command on the system.
> /etc/passwd
This file stores the most essential information, required during the user login process. (It stores user account information). It’s a plain-text file that contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.

Set User ID (SUID) is a type of permission that allows users to execute a file with the permissions of another user.
Those files which have SUID permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found SUID bit enabled binaries, then those file/program/command can be run with root privileges.

SUID abuse is a common privilege escalation technique that allows us to gain root access by executing a root-owned binary with SUID enabled.

You can find all SUID file by executing this simple find command:

find / -perm -u=s -type f 2>/dev/null

-u=s searches files that are owned by the root user.
-type f search for files, not directories

After displaying all SUID files, compare them to a list on GTFObins to see if there’s a way to abuse them to get root access.

According to Wikipedia, “Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall”.

Port forwarding not only allows you to bypass firewalls but also gives you an opportunity to enumerate some local services and processes running on the box.

The Linux netstat command gives you a bunch of information about your network connections, the ports that are in use, and the processes using them. In order to see all TCP connections, execute netstat -at | less. This will give you a list of running processes that use TCP. From this point, you can easily enumerate running processes and gain some valuable information.

netstat -tulpn will provide you a much nicer output with the most interesting data.

Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding

Room Answers

How would you execute /bin/bash with perl?

Where can you usually find the id_rsa file? (User = user)

Is there an id_rsa file on the box? (yay/nay)

How would you print machine hardware name only?

Where can you find bash history?

What’s the flag?

Can you read /etc/passwd on the box? (yay/nay)
What’s the password you found?

Did you find a flag?

Which SUID binary has a way to escalate your privileges on the box?

What’s the payload you can use to read /etc/shadow with this SUID?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles