Aquí vamos a identificar y comprobar permisos, configuraciones, procesos corriendo... Cualquier cosa que pueda darnos una vía para posteriormente escalar privilegios, ya sea accediendo como root, ejecutando comandos con los permisos de éste, elevando los permisos de nuestro usuario, etc...
Listar servicios corriendo como root
Listar servicios corriendo como root , permiso, y exports NFS
Copy echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null Listar conexiones en la máquina y servicios a la escucha asignados a puertos
Configuración de red
Copy /sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
Listar programas con el SUID activado (que se ejecuten con permisos de root)
Copy find / - user root - perm - 4000 - print 2 >/ dev / null
find / - perm - u = s -type f 2>/dev/null
find / -perm -g = s - o - perm - 4000 ! - type l - maxdepth 6 - exec ls - ld {} \\; 2 >/ dev / null
find / - perm - 1000 -type d 2>/dev/null
find / -perm -g = s - type f 2 >/ dev / null
Listar tareas programados
Copy crontab - l
ls - alh /var /spool/cron
ls - al / etc / | grep cron
ls - al / etc / cron *
cat / etc / cron *
cat / etc / at .allow
cat / etc / at .deny
cat / etc / cron .allow
cat / etc / cron .deny
cat / etc / crontab
cat / etc / anacrontab
cat /var /spool/cron/crontabs/root
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny
Listar variables de entorno
Copy env
export
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
Listar impresoras
Listar aplicaciones instaladas
ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;
Listar archivos de configuración con permisos de escritura (directorio /etc/)
Copy /find /etc/ -writable -type f 2>/dev/null
Listar servicios mal configurados
Copy cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.r./'
Buscar contraseñas/usuarios hardcodeados• grep -i user [filename]
Copy grep -i pass [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
grep -C 5 "password" [filename]
Buscar otros usuarios
Copy id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l
Listar superusuarios
Copy grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
awk -F: '($3 == "0") {print}' /etc/passwd
Listar directorios /home/ de otros usuarios
Copy ls -ahlR /root/; ls -ahlR /home/
Contenido del histórico del usuario
Copy cat ~ /.bash_history; cat ~/ .nano_history; cat ~ /.atftp_history; cat ~/ .mysql_history; cat ~/ .php_history Contenido de mails de usuarios
Copy cat ~ /.bashrc; cat ~/ .profile; cat /var /mail/root; cat /var /spool/mail/root Búsqueda de aplicaciones de interés (para futuras operaciones) (WGET, NC/NetCat, FTP)
Copy find / - name wget; find / - name nc * ; find / - name netcat * ; find / - name tftp * ; find / - name ftp Listar unidades de disco / sistemas de archivo montados en la máquina
Copy mount; df - h; cat / etc / fstab Listar carpetas con permisos de lectura, escritura y ejecución globales
Copy echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \\( -perm -o w -perm -o x \\) -type d 2>/dev/null; Ficheros donde buscar claves privadas de SSH
Copy ~/.ssh/authorized_keys
~/.ssh/identity.pub
~/.ssh/identity
~/.ssh/id_rsa.pub
~/.ssh/id_rsa
~/.ssh/id_dsa.pub
~/.ssh/id_dsa
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key Búsqueda de información en logs de interés
Copy ~/.ssh/authorized_keys
/etc/httpd/logs/access.log/
etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/auth.log
/var/log/chttp.log
/var/log/cups/error_log
/var/log/dpkg.log
/var/log/faillog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/messages
/var/log/secure
/var/log/syslog
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/run/utmp
/var/webmin/miniserv.log
/var/www/logs/access_log
/var/www/logs/access.log
/var/lib/dhcp3/
/var/log/postgresql/
/var/log/proftpd/
/var/log/samba/
Last updated 2 months ago