mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [master] one page modified
This commit is contained in:
parent
ac38cb05fe
commit
23e574f503
1 changed files with 97 additions and 1 deletions
|
@ -4,7 +4,34 @@ Do you want to **know** about my **latest modifications**/**additions or you hav
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||||
|
|
||||||
## Kernel exploits
|
## System Information
|
||||||
|
|
||||||
|
### OS info
|
||||||
|
|
||||||
|
Let's starting gaining some knowledge of the OS running
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(cat /proc/version || uname -a ) 2>/dev/null
|
||||||
|
lsb_release -a 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
### Path
|
||||||
|
|
||||||
|
If you **have write permissions on any folder inside the `PATH`** variable you may be able to hijacking some libraries or binaries:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo $PATH
|
||||||
|
```
|
||||||
|
|
||||||
|
### Env info
|
||||||
|
|
||||||
|
Interesting information, passwords or API keys in the environment variables?
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(env || set) 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
### Kernel exploits
|
||||||
|
|
||||||
Check the kernel version and if there is some exploit that can be used to escalate privileges
|
Check the kernel version and if there is some exploit that can be used to escalate privileges
|
||||||
|
|
||||||
|
@ -57,6 +84,75 @@ You can check if the sudo version is vulnerable using this grep.
|
||||||
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
|
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Date, system stats and CPU info
|
||||||
|
|
||||||
|
```bash
|
||||||
|
date 2>/dev/null #Date
|
||||||
|
(df -h || lsblk) #System stats
|
||||||
|
lscpu #CPU info
|
||||||
|
```
|
||||||
|
|
||||||
|
### Dmesg signature verification failed
|
||||||
|
|
||||||
|
Check **smasher2 box of HTB** for an **example** of how this vuln could be exploited
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg 2>/dev/null | grep "signature"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Printers
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lpstat -a 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enumerate possible defenses
|
||||||
|
|
||||||
|
#### AppArmor
|
||||||
|
|
||||||
|
```bash
|
||||||
|
if [ `which aa-status 2>/dev/null` ]; then
|
||||||
|
aa-status
|
||||||
|
elif [ `which apparmor_status 2>/dev/null` ]; then
|
||||||
|
apparmor_status
|
||||||
|
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
|
||||||
|
ls -d /etc/apparmor*
|
||||||
|
else
|
||||||
|
echo "Not found AppArmor"
|
||||||
|
fi
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Grsecurity
|
||||||
|
|
||||||
|
```bash
|
||||||
|
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")
|
||||||
|
```
|
||||||
|
|
||||||
|
#### PaX
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Execshield
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")
|
||||||
|
```
|
||||||
|
|
||||||
|
#### SElinux
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(sestatus 2>/dev/null || echo "Not found sestatus")
|
||||||
|
```
|
||||||
|
|
||||||
|
#### ASLR
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
|
||||||
|
#If 0,not enabled
|
||||||
|
```
|
||||||
|
|
||||||
## Software exploits
|
## Software exploits
|
||||||
|
|
||||||
Check for the **version of the installed packages and services**. Maybe there is some old Nagios version \(for example\) that could be exploited for gaining privileges…
|
Check for the **version of the installed packages and services**. Maybe there is some old Nagios version \(for example\) that could be exploited for gaining privileges…
|
||||||
|
|
Loading…
Reference in a new issue