We covered Linux enumeration to identify possible weaknesses vulnerabilities in order to achieve privilege escalation. This was part of TryHackMe Linux: Local Enumeration.
uname -a to print out all information about the system.
sudo -V to retrieve the version.
sudo -l to check if a user on the box is allowed to use sudo with any command on the system.
Set User ID (SUID) is a type of permission that allows users to execute a file with the permissions of another user.
Those files which have SUID permissions run with higher privileges. Assume we are accessing the target system as a non-root user and we found SUID bit enabled binaries, then those file/program/command can be run with root privileges.
SUID abuse is a common privilege escalation technique that allows us to gain root access by executing a root-owned binary with SUID enabled.
You can find all SUID file by executing this simple find command:
find / -perm -u=s -type f 2>/dev/null
-u=s searches files that are owned by the root user.
-type f search for files, not directories
After displaying all SUID files, compare them to a list on GTFObins to see if there’s a way to abuse them to get root access.
According to Wikipedia, “Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall”.
Port forwarding not only allows you to bypass firewalls but also gives you an opportunity to enumerate some local services and processes running on the box.
The Linux netstat command gives you a bunch of information about your network connections, the ports that are in use, and the processes using them. In order to see all TCP connections, execute
netstat -at | less. This will give you a list of running processes that use TCP. From this point, you can easily enumerate running processes and gain some valuable information.
netstat -tulpn will provide you a much nicer output with the most interesting data.
Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding
Where can you usually find the id_rsa file? (User = user)
Is there an id_rsa file on the box? (yay/nay)
Where can you find bash history?
What’s the flag?
Did you find a flag?
What’s the payload you can use to read /etc/shadow with this SUID?