đŸŠ€ DoDoFarm

Linux

2 min read

  • Is there maybe a walkthrough of what you’re trying to do? if so just follow it just google and try to understand what you’re dealing with
  • ALWAYS upgrade your Shell
  • LINPEAS
    • check if there are any services running locally (maybe http only accessible through 127.0.0.1?)
    • check hosts file
    • check the /var/www folder if there are directories inside you can’t access from the outside maybe you can access the from the inside? (only accessible locally)
  • Google version numbers of EVERYTHING
  • search in home directory for interesting files also hidden files even one that look “boring” use find and grep for that, carefull sometimes files with a password inside don’t have anything to ‘grep’
    • try grabbing ssh keys in .ssh in home folder
    • especially the home folder and the http directory in var because those can have clear text credentials
      • .php files and .htpasswd files are worth looking into
  • check for folder permissions the user/users group has
    • Maybe you can exploit a PATH vulnerability?
    • maybe inside the folder is a script that executes a command that you can hijack (via PATH)?
    • you can’t edit files which are currently opened by other users but you can APPEND stuff like shells.
  • check group of exploited user and check custom binaries that group/user owns DONT FORGET THE GROUP
  • check the priveleges those binaries have(Maybe SUID?)
    • do a simple sudo -l to see what you can do
    • to find such files/binaries use find / -perm -4000 -f (if needed) 2>/dev/null 4 is the bit for suid, 2 for guid and 1 is the sticky bit
    • https://gtfobins.github.io/gtfobins
    • use strings on said binaries
    • check if you can create a your ‘fake’ binary for a command that is being called not by the absolute path
    • how to preserve suid for a shell: 1) the exploit should call setreuid(0,0) to keep privs 2) you can call setuid(0) and seteuid(0) in the binary to make sure the user keeps privs afterwards 3) You could also make sure the hidden function calls /bin/sh -p to keep privs instead
  • if you find strings/documents, check for base64 and cyberchef magic
  • check processes running with ps/top
  • https://www.revshells.com
    • don’t use default kali shell, use /bin/bash
    • for full/better shell: python3 -c 'import pty;pty.spawn("/bin/bash");'
    • or if it doesn’t work: script /dev/null -c bash
    • stty raw -echo; fg; and export TERM=xterm for autocomplete
    • if you’re getting kicked out of shells like in sqlmap spawn a ‘shell in a shell’

Graph View

Backlinks