Test Details
| Legend | Description |
|---|---|
| * | Confirmed |
| + | No Issue |
| ! | Warning |
| ? | To Check |
- Project:
- Dates:
Target List:
Accounts:
Guides & Tools
AllTheThings PrivEsc - https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#systemd-timers
Linux Hardening Checklist - https://github.com/trimstray/linux-hardening-checklist
HackTricks Checklist - https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
Scanning
-
nmap: TCP
UDP
-
Nessus select ‘sudo’:
-
Lynis : lynis audit system
-
LinPEAS:
# curl latest release
curl -O https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh linpeas.sh
# Or Git clone and build it
clone https://github.com/peass-ng/PEASS-ng.git
cd /opt/PEASS-ng/linPEAS
python3 -m builder.linpeas_builder.py --all-no-fat --output /opt/linpeas.sh
# Use it
linpeas.sh > linpeas.txt
# View contents properly
less -r
# Or ANSIescape in Sublime Text
Manual Configuration Review
System configuration
# OS kernal info
uname -a
hostnamectl
uptime
# Is logging configured/enabled?
ps -edf | grep syslog
less /etc/rsyslog.conf
# Mounted partitions
cat /etc/fstab
# Interesting PATH entries?
echo $PATH
# Interesting ENV variables?
(env || set) 2>/dev/null
# no_root_squash?
cat /etc/exports
# Startup jobs
crontab -u [user] -l
# SSH settings ("PermitRootLogin no" important)
cat /etc/ssh/sshd_config
Software & Services
# Package versions
[software] --version
dpkg -s [library]
dpkg -l | grep [library]
dpkg-query -W [library]
apt show [library_name]
yum info [package_name]
yumdb info [package_name]
repoquery --list [package_name]
# RedHat specific
rpm -q [software]
dnf info [software]
yum info [package_name]
# Services Running - anything root (like a DB) that shouldn't be?
netstat -ant
ps -edf
# Interesting installs?
ls /opt/
ls /tmp/
# Shared libraries, missing dependencies?
ldd /opt/[binary]
Networking
# Local
ifconfig
route
netstat -rn
cat /etc/resolv.conf
cat /etc/hosts
iptables -L -v
# Remote
showmount -e [IP]
Privilege issues
# Find sudoers
getent group sudo | cut -d: -f4
egrep -v '^#|^$' /etc/sudoers
# Any sudo permissions?
sudo -l
# Find SUID binaries
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
# Any risky world readable/writable files?
find / -type f -perm -006 2>/dev/null
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
Sensitive Files https://github.com/InfoSecWarrior/Offensive-Payloads/blob/main/Linux-Sensitive-Files.txt
# Default hashing algorithm (No '$' or $1$ are weak!)
cat /etc/pam.d/common-password
# Review & attempt to crack hashed passwords
cat /etc/shadow > shadow.txt
cat /etc/security/opasswd > opassw.txt
# Find more passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null > potential_passwords.txt
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; | less
# Ensure no secrets in startup scripts
cat /etc/sysconfig/network-scripts/*
# Ensure other config/log files are not world-readable, for example:
/etc/aliases
/etc/mysql/my.cnf
/etc/apache2/httpd.conf
/etc/httpd/httpd.conf
/var/log/httpd/access_log
/var/log/postgresql/postgresql.log
MySQL
https://pentesterlab.com/exercises/linux_host_review/course
TODO