This post explains the process of enumerating a linux system in order to find paths to escalate privileges.

Overiview

Automated tools

• LinEnum
• linPEAS

Manual - General things

These are the general things we will be enumerating in the process below

OS

• OS Version
• Kernel Version

Services

• Running Services: ps aux | grep root
• Installed Packages and Versions

User

• whoami, id, hostname
• User Home Directories
• Sudo Privileges: sudo -l

Files & Directories

• Configuration files: .conf & .config
• Readable Shadow File
• Password Hashes in /etc/passwd (more common on embedded devices and routers)
• Writeable Directories
• Writeable Files
• SETUID and SETGID Permissions

Cron Jobs

• Under: /etc/cron*

File Systems

• Unmounted File System and Aditional Drivers
• File Systems & Additional Drives

Process of enumeration

1. Gaining Situational Awareness

whoami
id
hostname

cat /etc/os-release

echo $PATH
env

uname -a
lscpu

cat /etc/shells

lsblk    # block devices
lpstat   # printers
cat /etc/fstab

# network information
route
arp -a

cat /etc/passwd
cat /etc/passwd | cut -f1 -d: # usernames
grep "*$" /etc/passwd

cat /etc/group
getent group sudo

ls /home

# file systems
df -h
# unmounted fs
cat /etc/fstab | grep -v "#" | column -t

# hidden files for $USER
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep $USER
# setuid files
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
# setgid files
find / -uid 0 -perm -6000 -type f 2>/dev/null
# hidden directories
find / -type d -name ".*" -ls 2>/dev/null

ls /var/tmp   # data retained 30 days
ls /tmp       # data retained 10 days or until system reboot

2. Linux Services & Internals Enumeration

ip a

cat /etc/hosts

lastlog # users's last login command
who     # check who's logged in
finger

history
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
# finding history files

# Cronjobs
ls -la /etc/cron.*/
cat /etc/crontab

# writeable files (check for cronjob abuse)
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# proc filesystem is a virtual fs that contains info about system processes, hw, system info
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list # list of installed packages
sudo -V  # sudo version
ls -l /bin /usr/bin/ /usr/sbin/ # list of binaries
# compare available binaries against GTFO
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/

#  analyze system calls and signal processing
strace ping -c1 IP

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null # configuration files

# Scripts
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
ps aux | grep root
# running services by user

3. Credential Hunting

See Credential Hunting Linux

Configuration Files

find all possible configuration files on the system

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

for i in $(find / -name "*.cnf" **2**>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i **2**>/dev/null | grep -v "\#";done

Summary (How?)

We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.

During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.

¿Que es la ISO27001?

La ISO 27001 es una norma internacional que define los requisitos generales y establece que debes implementar controles de seguridad específicos como parte de un Sistema de Gestión de Seguridad de la Información (SGSI), no detalla cómo hacerlo. Indica qué controles son necesarios para gestionar los riesgos de seguridad de la información de manera efectiva.

Es aplicable a todo tipo de organizaciones donde la información es un activo del que dependen los objetivos y resultados de una organización.

Read More…

Introduction

sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.

The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.

Notas utilizadas para mi presentacion sobre criptografía post cuántica con la que me recibí de Ingeniero en Computación 🎓

Introducción/Contexto de PQC

La criptografía de llave pública depende de funciones matemáticas que son “fáciles de hacer y difíciles de deshacer” (to do and to undo). Las variantes más utilizadas hasta ahora son vulnerables al Algoritmo de Shor:

• RSA: factorización de números primos
• Diffie-Hellman: problema del logaritmo discreto

Si se puede resolver el problema matemático, se puede romper la criptografía.

Read More…