📕
writeups
  • Introduction
  • Try Hack Me
    • Walkthroughs
      • Core Windows Processes
      • Linux: Local Enumeration
      • Network services
      • Network services 2
      • What the Shell?
      • Common Linux Privesc
      • Hashing - Crypto 101
    • Challanges (CTF)
      • Basic pentesting
      • tomghost
      • VulnNet
  • hack the box
    • Easy machines
    • Medium machines
Powered by GitBook
On this page
  • Unit 1: tty
  • Unit 1: ssh
  • Unit 2: Basic enumeration
  • Unit 3: /etc
  • Unit 4: Find command
  • Unit 4: SUID
  • Unit 5:

Was this helpful?

  1. Try Hack Me
  2. Walkthroughs

Linux: Local Enumeration

Learn to efficiently enumerate a Linux machine and identify possible weaknesses

PreviousCore Windows ProcessesNextNetwork services

Last updated 3 years ago

Was this helpful?

This room from describes some technique to enumerate and escalate privilege after getting a shell in a Linux machine.

Target website shows the way to connect and get a reverse shell:

Unit 1: tty

Reverse shell -

  • netcat shell can be broken often

  • stable shell is needed

  • Some commands like su and ssh needs proper terminal to run

  • Python one liner for a stable shell: python3 -c 'import pty; pty.spawn("/bin/bash")'

The command from GTFOBins gives us shell but as we want to execute bash, we need to modify it: perl -e 'exec "/bin/sh";'

Unit 1: ssh

SSH -

  • SSH can give us stable reverse connection

  • Usually located in .ssh file

  • If I get the private key, id_rsa :

    • Download it to my own machine

    • Give permission: chmod 600

    • Connect ssh: ssh -i id_rsa [user]@[IP]

  • If private key isn't there or inaccessible:

    • Generate own ssh key in attacker machine: ssh-keygen

    • Copy the id_rsa.pub to the target machine's authorized_keys file. This file will be inside the .ssh file

    • Connect ssh from attacker machine using own id_rsa file

Unit 2: Basic enumeration

Quick methodology -

  • get system info: uname -a

  • User command history can be here: .bash_history

  • These two file contains shell command that run when bash executed: .bash_profile and .bashrc

  • Check sudo version: sudo -v

  • User list with sudo access: sudo -l

Unit 3: /etc

/etc/passwd file -

  • This file contains essential information

  • Format of /passwd file -

/etc/shadow file -

  • This file contains hashed password

/etc/hosts file -

  • This file assigns hostname to IP address

Unit 4: Find command

Find command -

  • Most important switch : -type and -name

  • Look for interesting log (.log) and configuration (.conf) file. There can be a backup (.bak) file too

Task -

  • Found password in backup file: find -type f -name "*.bak" 2>/dev/null

  • Found flag in a .conf file: find -type f -name "*.conf" 2>/dev/null

Unit 4: SUID

SUID bit -

  • If this bit is set, anyone can run the file with the owner level access

  • Find command: find / -type f -perm -u=s 2>/dev/null

  • GTFOBins shows good payload for grep

Unit 5:

SSH tunnelling -

  • Three types of ssh tunnel (with example):

    • Forward tunnel: this will connect from office to home using a ssh tunnel

    • Reverse tunnel: this tunnel will connect from home to office

    • Dynamic tunnel: this will use sock proxy and divert all traffic to specified address

SSH tunnelling command -

  • Forward tunnel : map port from remote machine/network to local machine

ssh -L $LOCAL_PORT:$REMOTE_IP:$REMOTE_PORT $USER@$SERVER

  • Reverse tunnel : make local port accessible to remote machine

ssh -R $REMOTE_PORT:$LOCAL_IP:$LOCAL_PORT $USER@$SERVER

Upgrading shell to interactive shell:

Curated list of privesc command:

Explained video:

blog post
GTFOBins
YouTube
tryHackMe