Linux 提权信息收集

User’s Group

group

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep $lse_grep_opts -E "(:|,)kali"     
sudo:x:27:kali

Other users with a Shell

grep -E ":/[a-z/]+sh\$" /etc/passwd'

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ grep $lse_grep_opts -E ":/[a-z/]+sh\$" /etc/passwd      
root:x:0:0:root:/root:/usr/bin/zsh
postgres:x:119:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
kali:x:1000:1000:Kali,,,:/home/kali:/usr/bin/zsh

Check Environment Variables

env

Check user’s group

cat /etc/group

Check user

cat /etc/passwd

Check PATH

for p in grep -ERh "^ PATH=." /etc/ 2> /dev/null | tr -d "'"'"' | cut -d= -f2 | tr ":" "\n" | sort -u; do [ -d "$p" ] && echo "$p";done

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ for p in `grep -ERh "^ *PATH=.*" /etc/ 2> /dev/null | tr -d "'"'"' | cut -d= -f2 | tr ":" "\n" | sort -u`; do [ -d "$p" ] && echo "$p";done
/bin
/sbin
/usr/bin
/usr/games
/usr/lib/sysstat
/usr/local/bin
/usr/local/games
/usr/local/go/bin
/usr/local/sbin
/usr/sbin

echo $PATH

Check if “.” is added to PATH

for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d "'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done

Check if current user can execute “sudo” without Password

echo "" | sudo -nS id

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ echo "" | sudo -nS id                  
uid=0(root) gid=0(root) groups=0(root),20(dialout),120(wireshark),142(kaboxer)

Check if current user can list sudo commands

echo "" | sudo -nS -l

└─$ echo "" | sudo -nS -l 
Matching Defaults entries for kali on kali:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User kali may run the following commands on kali:
    (ALL : ALL) ALL

Check if current user can execute sudo with a password

echo "xxxx" | sudo -S id

(base) ┌──(kali㉿kali)-[~]
└─$ echo "kali" | sudo -S id
uid=0(root) gid=0(root) groups=0(root),20(dialout),120(wireshark),142(kaboxer)

Check if current user can list sudo commands with a password

echo "xxxx" | sudo -S -l

(base) ┌──(kali㉿kali)-[~]
└─$ echo "kali" | sudo -S -l
Matching Defaults entries for kali on kali:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User kali may run the following commands on kali:
    (ALL : ALL) ALL

Check if current user can read sudoer file

grep -R "" /etc/sudoers*

(base) ┌──(kali㉿kali)-[~]
└─$ grep -R "" /etc/sudoers*
grep: /etc/sudoers: Permission denied
grep: /etc/sudoers.d/README: Permission denied
grep: /etc/sudoers.d/kali-grant-root: Permission denied

Check for Users who Successfully Used sudo

for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done

(base) ┌──(kali㉿kali)-[~]
└─$ for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done
kali

Find Writable Files Outside the User’s Home Directory

find / -path "/home/kali" -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null 注意修改用户名以及用户 home 目录

└─$ find  / -path "/home/kali" -prune -o  -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null
/pentest/AntSword/antSword-master/antData/plugins/as_jwtdebugger-master/node_modules/.bin/semver
...

Find SUID Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -4000 -type f -print 2>/dev/null

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -4000 -type f -print  2>/dev/null                         
/opt/google/chrome/chrome-sandbox
/usr/libexec/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/telnetlogin
/usr/lib/dbus-1.0/dbus-daemon-

Find Uncommon SUID Files

Check if the Current User has Write Permissions on SUID Files

lse_setuid_binaries="find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -4000 -type f -print 2>/dev/null";for b in $lse_setuid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ lse_setuid_binaries="`find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -4000 -type f -print  2>/dev/null`";for b in $lse_setuid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done

Find GUID Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -2000 -type f -print 2>/dev/null

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -2000 -type f -print 2>/dev/null                          130 ⨯
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/bin/write
/usr/bin/plocate
/usr/bin/expiry
/usr/bin/ssh-agent
/usr/bin/chage
/usr/bin/wall
/usr/bin/dotlockfile
/usr/bin/crontab

Find Uncommon GUID Files

Check if the Current User has Write Permissions on GUID Files

lse_setgid_binaries="find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -perm -2000 -type f -print 2>/dev/null";for b in $lse_setgid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done

Check if the Current User can Read /root

ls -ahl /root/

(base) ┌──(kali㉿kali)-[~/code/java]
└─$ ls -ahl /root/                                                                      
ls: cannot open directory '/root/': Permission denied

Check if the Current User can Read other Users’ Home Directories

for h in /home/*; do [ -d "$h" ] && [ "$h" != "/home/kali" ] && ls -la "$h/"; done 注意修改当前用户 home 路径

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ for h in /home/*; do [ -d "$h" ] && [ "$h" != "/home/kali" ] && ls -la "$h/"; done
total 12
drwxr-xr-x 3 root root 4096 Sep 12  2021 .
drwxr-xr-x 4 root root 4096 Sep 12  2021 ..
drwxr-xr-x 3 root root 4096 Sep 12  2021 dr34d
                                                

for h in $(cut -d: -f6 /etc/passwd | sort -u | grep -Ev "^(/|/dev|/bin|/proc|/run/.*|/var/run/.*)$"); do find "$h" $ -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" $ -exec ls -la {} \; ; done 2>/dev/null

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ for h in $(cut -d: -f6 /etc/passwd | sort -u | grep -Ev "^(/|/dev|/bin|/proc|/run/.*|/var/run/.*)$"); do find "$h" \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; ; done 2>/dev/null
-rw-r--r-- 1 kali kali 442 Aug  9 11:40 /home/kali/work/vulhub/base/git/2.12.2/with-openssh/authorized_keys
-rw-r--r-- 1 kali kali 393 Aug  9 11:40 /home/kali/work/vulhub/git/CVE-2017-8386/id_rsa.pub
-rw-r--r-- 1 kali kali 1675 Aug  9 11:40 /home/kali/work/vulhub/git/CVE-2017-8386/id_rsa
-rw-r--r-- 1 kali kali 563 Sep  3 20:35 /home/kali/.ssh/id_rsa.pub
-rw-r--r-- 1 kali kali 575 Aug 17  2021 /home/kali/.ssh/authorized_keys
-rw------- 1 kali kali 2590 Sep  3 20:35 /home/kali/.ssh/id_rsa
-rw------- 1 kali kali 364 Sep  3 20:33 /home/kali/.ssh/known_hosts
-rw-r--r-- 1 kali kali 1430 Sep  4  2021 /home/kali/.vscode-server/extensions/liximomo.sftp-1.12.9/node_modules/ssh2/test/fixtures/id_rsa.ppk
-rw-r--r-- 1 kali kali 1766 Sep  4  2021 /home/kali/.vscode-server/extensions/liximomo.sftp-1.12.9/node_modules/ssh2/test/fixtures/id_rsa_enc
-rw-r--r-- 1 kali kali 887 Sep  4  2021 /home/kali/.vscode-server/extensions/liximomo.sftp-1.12.9/node_modules/ssh2/test/fixtures/id_rsa
-rw-r--r-- 1 kali kali 668 Sep  4  2021 /home/kali/.vscode-server/extensions/liximomo.sftp-1.12.9/node_modules/ssh2/test/fixtures/id_dsa
-rw-r--r-- 1 kali kali 227 Sep  4  2021 /home/kali/.vscode-server/extensions/liximomo.sftp-1.12.9/node_modules/ssh2/test/fixtures/id_ecdsa
   

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o $ -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" $ -exec ls -la {} \; 2>/dev/null

(base) ┌──(kali㉿kali)-[~]
└─$ find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null
-rw-r--r-- 1 kali kali 442 Aug  9 11:40 /home/kali/work/vulhub/base/git/2.12.2/with-openssh/authorized_keys
-rw-r--r-- 1 kali kali 393 Aug  9 11:40 /home/kali/work/vulhub/git/CVE-2017-8386/id_rsa.pub
-rw-r--r-- 1 kali kali 1675 Aug  9 11:40 /home/kali/work/vulhub/git/CVE-2017-8386/id_rsa
-rw-r--r-- 1 kali kali 563 Sep  3 20:35 /home/kali/.ssh/id_rsa.pub

Find Useful Binaries (e.g. curl, nc)

which curl; which dig; which gcc; which nc.openbsd; which nc; which netcat; which nmap; which socat; which wget

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ which curl; which dig; which gcc; which nc.openbsd; which nc; which netcat; which nmap; which socat; which wget
/usr/bin/curl
/usr/bin/dig
/usr/bin/gcc
nc.openbsd not found
/usr/bin/nc
/usr/bin/netcat
/usr/bin/nmap
/usr/bin/socat
/usr/bin/wget

Find Interesting Files in the Current User’s Directory

for h in $(cut -d: -f6 /etc/passwd); do find "$h" $ -name "*.rhosts" -o -name ".git-credentials" -o -name ".*history" $ -maxdepth 1 -exec ls -la {} \;;done 2>/dev/null

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ for h in $(cut -d: -f6 /etc/passwd); do find "$h" \( -name "*.rhosts" -o -name ".git-credentials" -o -name ".*history" \) -maxdepth 1 -exec ls -la {} \;;done 2>/dev/null

-rw------- 1 kali kali 748 Aug 27 13:53 /home/kali/.python_history
-rw------- 1 kali kali 2600 Jul 25 10:20 /home/kali/.mysql_history
-rw------- 1 kali kali 11 Jul 30 23:36 /home/kali/.bash_history
-rw------- 1 kali kali 52518 Sep  5 17:44 /home/kali/.zsh_history

Look for Credentials in /etc/fstab /etc/mtab

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ grep -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null

Check if a User has Mail

ls -l "/var/mail/kali"

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ ls -l "/var/mail/kali"                                                                                                                 130 ⨯
ls: cannot access '/var/mail/kali': No such file or directory

Check if the Current User can Read other Users’ Mail

for f in /var/mail/*; do [ "$f" != "/var/mail/kali" ] && [ -r "$f" ] && echo "$f"; done

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ for f in /var/mail/*; do [ "$f" != "/var/mail/kali" ] && [ -r "$f" ] && echo "$f"; done 

Look for Code Repositories

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o $ -name ".git" -o -name ".svn" $ -print 2>/dev/null

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \( -name ".git" -o -name ".svn" \) -print 2>/dev/null             
/pentest/tunnel/reGeorg/.git
/pentest/tunnel/Neo-reGeorg/.git
/pentest/CORScanner/.git
/pentest/commix/.git
/pentest/subfinder/.git
/pentest/JSFinder/.git
/pentest/tplmap/.git
/pentest/dic/PayloadsAllTheThings/.git

Find Writable Sensitive Files

建立于“查找用户 home 目录外其他可写文件”的结果之上，内置字典去完成筛选工作。实际渗透中可获取到目标可写文件后在本地比对。

lse_critical_writable="
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/bash_completion
/etc/bash_completion.d/*
/etc/environment
/etc/environment.d/*
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/incron.conf
/etc/incron.d/*
/etc/logrotate.d/*
/etc/modprobe.d/*
/etc/pam.d/*
/etc/passwd
/etc/php*/fpm/pool.d/*
/etc/php/*/fpm/pool.d/*
/etc/profile
/etc/profile.d/*
/etc/rc*.d/*
/etc/rsyslog.d/*
/etc/shadow
/etc/skel/*
/etc/sudoers
/etc/sudoers.d/*
/etc/supervisor/conf.d/*
/etc/supervisor/supervisord.conf
/etc/sysctl.conf
/etc/sysctl.d/*
/etc/uwsgi/apps-enabled/*
/root/.ssh/authorized_keys
"
lse_user_writable="`find  / -path "/home/kali" -prune -o  -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null`";
for uw in $lse_user_writable; do [ -f "$uw" ] && IFS="
"; for cw in ${lse_critical_writable}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -l $cw; done ; done

Find Writable Sensitive Directories

建立于“查找用户 home 目录外其他可写文件”的结果之上，内置字典去完成筛选工作。实际渗透中可获取到目标可写文件后在本地比对。

lse_critical_writable_dirs="
/etc/bash_completion.d
/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.weekly
/etc/environment.d
/etc/logrotate.d
/etc/modprobe.d
/etc/pam.d
/etc/profile.d
/etc/rsyslog.d/
/etc/sudoers.d/
/etc/sysctl.d
/root
"
lse_user_writable="`find  / -path "/home/kali" -prune -o  -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null`";
for uw in $lse_user_writable; do [ -d "$uw" ] && IFS="
"; for cw in ${lse_critical_writable_dirs}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -ld $cw; done ; done

Check if PATH is Writable

lse_exec_paths="for p in grep -ERh "^ *PATH=.*" /etc/ 2> /dev/null | tr -d "'"'"' | cut -d= -f2 | tr ":" "\n" | sort -u; do [ -d “$p" ] && echo "$p”;done";for ep in $lse_exec_paths; do [ -d "$ep" ] && [ -w "$ep" ] && ls -ld "$ep"; done

Find Readable Backup Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /usr/lib -prune -o -path /usr/share -prune -o -regextype egrep -iregex ".*(backup|dump|cop(y|ies)|bak|bkp)[^/]*\.(sql|tgz|tar|zip)?\.?(gz|xz|bzip2|bz2|lz|7z)?" -readable -type f -exec ls -al {} \; 2>/dev/null

(base) ┌──(kali㉿kali)-[/home/ftp-users/dr34d/aaa]
└─$ find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /usr/lib -prune -o -path /usr/share -prune -o -regextype egrep -iregex ".*(backup|dump|cop(y|ies)|bak|bkp)[^/]*\.(sql|tgz|tar|zip)?\.?(gz|xz|bzip2|bz2|lz|7z)?" -readable -type f -exec ls -al {} \; 2>/dev/null
-rw-r--r-- 1 kali kali 13889 Sep  2  2021 /pentest/AntSword/antSword-master/antData/.temp/CopyShell.zip
-rw-r--r-- 1 kali kali 1202 Sep  2  2021 /pentest/AntSword/antSword-master/antData/.temp/as_copyurl.zip

Extract Possible Credentials from the History File

Find NFS Exported Files (with no_root_squash option)

grep "no_root_squash" /etc/exports 2>/dev/null

Find NFS Exported Files (with no_all_squash option)

grep "no_all_squash" /etc/exports 2>/dev/null

Find Files Owned by the User (Note: may have large data volume)

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -user kali -type f -exec ls -al {} \;

Find hosts.equiv Files and Get Their Contents

find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} \;

Enumerate NFS Shares

ls -la /etc/exports 2>/dev/null && cat /etc/exports

View fstab File

cat /etc/fstab

w

(base) ┌──(kali㉿kali)-[~]
└─$ w     
 21:42:52 up 9 days,  9:58,  4 users,  load average: 5.87, 6.23, 6.66
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
kali     tty7     :0               27Aug22  9days 23:52   2.74s xfce4-session
kali     pts/0    192.168.137.206  Sat20    2days  0.15s  0.08s -zsh
kali     pts/1    192.168.137.206  Sat20    2days  0.11s  0.08s -zsh
kali     pts/3    192.168.137.206  Sat20    2days  0.12s  0.08s -zsh

View Recent Logins

last

(base) ┌──(kali㉿kali)-[~]
└─$ last
kali     pts/3        192.168.137.206  Sat Sep  3 20:55   still logged in
kali     pts/1        192.168.137.206  Sat Sep  3 20:54   still logged in
kali     pts/1        localhost        Sat Sep  3 20:54 - 20:54  (00:00)
kali     pts/0        192.168.137.206  Sat Sep  3 20:53   still logged in
kali     pts/14       192.168.137.91   Wed Aug 31 20:27 - 20:27  (00:00)
kali     pts/14       192.168.137.93   Wed Aug 31 19:58 - 19:59  (00:00)
kali     tty7         :0               Sat Aug 27 11:44   still logged in
reboot   system boot  5.16.0-kali7-amd Sat Aug 27 11:44   still running
kali     tty7         :0               Tue Aug 23 17:50 - crash (3+17:54)
reboot   system boot  5.16.0-kali7-amd Tue Aug 23 17:50   still running
reboot   system boot  5.16.0-kali7-amd Mon Aug 22 15:11   still running
kali     pts/19       192.168.137.206  Mon Aug  8 15:27 - 15:43  (00:16)

Check if hash is in /etc/passwd (Old Systems)

grep -v "^[^:]*:[x]" /etc/passwd

Check if hash is in /etc/group (Old System)

grep -v "^[^:]*:[x]" /etc/group

Check if shadow Files are Readable

for sf in "shadow" "shadow-" "shadow~" "gshadow" "gshadow-" "master.passwd"; do [ -r "/etc/$sf" ] && printf "%s\n---\n" "/etc/$sf" && cat "/etc/$sf" && printf "\n\n";done

Find other Superusers

for u in $(cut -d: -f1 /etc/passwd); do [ $(id -u $u) = 0 ] && echo $u; done | grep -v root

grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password|prohibit-password)" 可能遇到无法读取 /etc/ssh/sshd_config 的问题。

View Available Shells

cat /etc/shells

View File Mode Mask

grep "^UMASK" /etc/login.defs

View System Password Policy

grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs

(base) ┌──(kali㉿kali)-[~]
└─$ grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
ENCRYPT_METHOD SHA512

Check SELinux Status

sestatus

Enumerate Capabilities Files

getcap -r / 2>/dev/null

Check if Writable Capabilities Files Exist

lse_cap_bin="getcap -r / 2>/dev/null";for b in $(printf "$lse_cap_bin\n" | cut -d" " -f1); do [ -w "$b" ] && echo "$b"; done

Check if Full Permissions are Given to Capabilities Files

lse_cap_bin="getcap -r / 2>/dev/null";printf "$lse_cap_bin\n" | grep -v "cap_"

Search User Permission Assignments in /etc/security/capability.conf

grep -v "^#\|none\|^$" /etc/security/capability.conf

View a User’s Permissions in /etc/security/capability.conf

lse_user_caps="grep -v "#none" /etc/security/capability.conf";printf "lse_user_caps\n" | grep "kali"

Check if a User can View auditd Logs

al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"

View User’s Cron Jobs

crontab -l | grep -Ev "^#"

Check if Cron Jobs are Writable

find -L /etc/cron* /etc/anacron /var/spool/cron -writable 2>/dev/null

View All Cron Jobs

grep -ERv "^(#|$)" /etc/crontab /etc/cron.d/ /etc/anacrontab

Check if User can View Other User’s Cron Jobs

ls -la /var/spool/cron/crontabs/*

Batch Retrieve Other User’s Cron Jobs (requires permissions)

for u in $(cut -d: -f 1 /etc/passwd); do [ "$u" != "$lse_user" ] && crontab -l -u "$u"; done

Check if Corresponding Files and Paths of Cron Jobs are Writable

Check if Path of Cron Jobs is Writable (incorrect)

for uwcp in $lse_user_writable_cron_paths; do [ -w "$uwcp" ] && [ -x "$uwcp" ] && grep $lse_grep_opts -R "$uwcp" /etc/crontab /etc/cron.d/ /etc/anacrontab ; done

View All Cron Job Files

ls -la /etc/cron*

Get Systemd Timers System Time

systemctl list-timers --all systemctl --user list-timers --all | grep -iq "\.timer" && systemctl --user list-timers --all

Check if Systemd Timers are Writable

printf "$lse_user_writable\n" | grep -E "\.timer$"

View Services Listening Only on localhost

(ss -tunlp || netstat -tunlp)2>/dev/null | grep "127.0.0.1:"

Check if tcpdump is Usable

(tcpdump -i lo -n 2>&1 & pid=$!;sleep 0.2;kill $pid)2>/dev/null | grep -i "listening on lo"

Routing Information

route -n || ip r

ARP Table

arp -an || ip n

DNS Domain Servers

grep "nameserver" /etc/resolv.conf

System Domain Servers

systemd-resolve --status || systemd-resolve --user --status

Listening TCP

netstat -tnlp || ss -tnlp

Listening UDP

netstat -unlp || ss -unlp

Check if init.d/*, inetd.conf, xinetd.conf are Writable

Check if Certain Service Programs are Writable (missing semicolon in original repo)

Files in init.d that Don’t Belong to root

find /etc/init.d/ \! -uid 0 -type f | xargs -r ls -la

Files in rc.d/init.d that Don’t Belong to root

find /etc/rc.d/init.d \! -uid 0 -type f | xargs -r ls -la

Files in Autostart Folder that Don’t Belong to root

find /etc/init \! -uid 0 -type f | xargs -r ls -la

Files in /usr/local/etc/rc.d that Don’t Belong to root

find /usr/local/etc/rc.d \! -uid 0 -type f | xargs -r ls -la

View /etc/inetd.conf File Contents

cat /etc/inetd.conf

Check Telnet Service and Permissions

grep "/etc/xinetd.d" /etc/xinetd.conf ; ls -la /etc/xinetd.d

Enumerate /etc/rc.d/init.d and Permissions

ls -la /etc/rc.d/init.d

Enumerate /usr/local/etc/rc.d and Permissions

ls -la /usr/local/etc/rc.d

Enumerate /etc/init/ and Permissions

ls -la /etc/init/

Check if systemd service Files are Writable

Check if Binary Files Involved in systemd service Files are Writable

systemd Files that Don’t Belong to root

find /lib/systemd/ /etc/systemd \! -uid 0 -type f | xargs -r ls -la

Enumerate All systemd Files and Permissions (large content)

ls -lthR /lib/systemd/ /etc/systemd/

mysqladmin -uroot -proot version

Check if mysql root User has an Empty Password

mysqladmin -uroot version

Check if Credentials Exist in mysql_history

grep -Ei "(pass|identified by|md5\()" "/root/.mysql_history" 注意更换 home 目录

Check if Postgresql template0 Allows Null Password Connections

psql -U postgres template0 -c "select version()" | grep version template1 同理 psql -U postgres template1 -c "select version()" | grep version 或者用户名为 pgsql psql -U pgsql template0 -c "select version()" | grep version tamplate1 同理 psql -U pgsql template1 -c "select version()" | grep version

View Installed Apache Modules

apache2ctl -M; httpd -M

Search for .htpasswd Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -name "*.htpasswd" -print -exec cat {} \; 2>/dev/null

Check if ssh Private Key is Included in ssh-agent Identity

ssh-add -l | grep -iv "agent has no identities"

Check if pgp key is Included in pgp-agent Identity

gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"

Check if Writable ssh-agent Socket Exists

lse_user_writable="find / -path "/home/kali" -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null";for f in $lse_user_writable; do test -S "$f" && printf "$f" | grep -Ea "ssh-[A-Za-z0-9]+/agent\.[0-9]+"; done注意更改用户名及目录

Check if Writable pgp-agent Exists

lse_user_writable="find / -path "/home/kali" -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -user kali -print 2>/dev/null";for f in $lse_user_writable; do test -S "$f" && printf "$f" | grep -a "gpg-agent"; done 注意更改用户名及目录

Find keepass Database Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -regextype egrep -iregex ".*\.kdbx?" -readable -type f -print

Find passwd-store Files

find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -name ".password-store" -readable -type d -print

Check for Active tmux Sessions

tmux list-sessions

Check for Other Users’ tmux Sessions

find /tmp -type d -regex "/tmp/tmux-[0-9]+" ! -user kali 注意更改用户

Check if tmux Session Files are Writable

find /tmp -writable -type s -regex "/tmp/tmux-[0-9]+/.+" ! -user kali -exec ls -l {} + 注意更改用户

Check for Active Screen Sessions

screen -ls >/dev/null && screen -ls

Check for Other Users’ screen Sessions

find /run/screen -type d -regex "/run/screen/S-.+" ! -user kali注意更改用户

Check if screen Session Sockets are Writable

find /run/screen -type s -writable -regex "/run/screen/S-.+/.+" ! -user kali -exec ls -l {} + 注意更改用户

Check for MongoDB Connections

echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"

Check sudo Version

sudo -V | grep "Sudo version"

Check mysql Version

mysql --version

Check postgresql Version

gpsl -V

Check apache Version

apache2 -v; httpd -v 2>/dev/null

Check tmux Version

tmux -V

Check screen Version

screen -V

Check if Current Shell is in Docker

grep -i docker /proc/self/cgroup; find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -name "*dockerenv*" -exec ls -la {} \;

root@663ddde9a19c:/code# grep -i docker /proc/self/cgroup; find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -name "*dockerenv*" -exec ls -la {} \;
blkio:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
net_prio,net_cls:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
devices:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
cpuacct,cpu:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
pids:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
perf_event:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
memory:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
cpuset:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
hugetlb:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
freezer:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
name=systemd:/docker/663ddde9a19cb34e7d5ff5c1669e6ae90799a427fce2558bd0bd4c957ad61c8e
-rwxr-xr-x. 1 root root 0 Sep  1 08:15 /.dockerenv

Check if Docker Service is Running on the Host

docker --version; docker ps -a; docker images

Check if Current User Belongs to the Docker Group

groups | grep -o docker

Check if Current Environment is in an LXC Container

grep -a container=lxc /proc/1/environ | tr -d "\0"

Check if Current User Belongs to lxd/lxc Group

groups | grep $lse_grep_opts "lxc\|lxd"

Wait for Process Monitor to Gather Information

lse_procmon_data=mktemp;while [ ! -s "$lse_procmon_data" ]; do sleep 1; done; cat "$lse_procmon_data"

Other Tricks

(grep -E "^$USER:" /etc/passwd | cut -d: -f6)2>/dev/null 获取某个用户的 home 目录 uname -m 系统架构 x86_64 还是 x86 uname -r 内核版本 hostname 主机名 (. /etc/os-release && echo "$PRETTY_NAME") linux 发行版 -path "/usr/sam/dir1" -prune -o find 排除某个目录

‍

PREVIOUSCVE-2022-22965 Spring 核心框架漏洞原理分析

NEXTJuniper Part 1 - Basic Environment

User related