Linux: Local Enumeration

Learn to efficiently enumerate a Linux machine and identify possible weaknesses

This room from tryHackMe describes some technique to enumerate and escalate privilege after getting a shell in a Linux machine.

Target website shows the way to connect and get a reverse shell:

Unit 1: tty

Reverse shell -

  • netcat shell can be broken often

  • stable shell is needed

  • Some commands like su and ssh needs proper terminal to run

  • Python one liner for a stable shell: python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Upgrading shell to interactive shell: blog post

  • Curated list of privesc command: GTFOBins

The command from GTFOBins gives us shell but as we want to execute bash, we need to modify it: perl -e 'exec "/bin/sh";'

Unit 1: ssh

SSH -

  • SSH can give us stable reverse connection

  • Usually located in .ssh file

  • If I get the private key, id_rsa :

    • Download it to my own machine

    • Give permission: chmod 600

    • Connect ssh: ssh -i id_rsa [user]@[IP]

  • If private key isn't there or inaccessible:

    • Generate own ssh key in attacker machine: ssh-keygen

    • Copy the id_rsa.pub to the target machine's authorized_keys file. This file will be inside the .ssh file

    • Connect ssh from attacker machine using own id_rsa file

Unit 2: Basic enumeration

Quick methodology -

  • get system info: uname -a

  • User command history can be here: .bash_history

  • These two file contains shell command that run when bash executed: .bash_profile and .bashrc

  • Check sudo version: sudo -v

  • User list with sudo access: sudo -l

Unit 3: /etc

/etc/passwd file -

  • This file contains essential information

  • Format of /passwd file -

/etc/shadow file -

  • This file contains hashed password

/etc/hosts file -

  • This file assigns hostname to IP address

Unit 4: Find command

Find command -

  • Most important switch : -type and -name

  • Look for interesting log (.log) and configuration (.conf) file. There can be a backup (.bak) file too

Task -

  • Found password in backup file: find -type f -name "*.bak" 2>/dev/null

  • Found flag in a .conf file: find -type f -name "*.conf" 2>/dev/null

Unit 4: SUID

SUID bit -

  • If this bit is set, anyone can run the file with the owner level access

  • Find command: find / -type f -perm -u=s 2>/dev/null

  • GTFOBins shows good payload for grep

Unit 5:

SSH tunnelling -

  • Three types of ssh tunnel (with example):

    • Forward tunnel: this will connect from office to home using a ssh tunnel

    • Reverse tunnel: this tunnel will connect from home to office

    • Dynamic tunnel: this will use sock proxy and divert all traffic to specified address

  • Explained video: YouTube

SSH tunnelling command -

  • Forward tunnel : map port from remote machine/network to local machine

ssh -L $LOCAL_PORT:$REMOTE_IP:$REMOTE_PORT $USER@$SERVER

  • Reverse tunnel : make local port accessible to remote machine

ssh -R $REMOTE_PORT:$LOCAL_IP:$LOCAL_PORT $USER@$SERVER

PreviousCore Windows ProcessesNextNetwork services

Last updated

Was this helpful?