Checklist

Escape from limited shell and/or obtain full functionality
Verify if the current shell is from a docker instance
Get user information
- Can use sudo
  - sudo su or sudo - su
  - Sudo without password
    Sudo rules with wildcards
    Allowed commands can spawn elevated shells
    Sudo version exploits
    LD_PRELOAD exploit
- Readable home folders
  - hidden files
  - bash history
  - .gnupg folder
  - .ssh folder
  - sudo_command_successful
- Docker/lxd groups exploit
- Can switch to another user without password or using other known credentials
- Exploitable service accounts (i.e. apache, cron, ftp...) may allow to gain different/better privileges
- Readable or Writable sensitive files
  - Editable sudoers file
  - Editable passwd file
  - Editable .service files
  - Credentials or config files
    PHP config files (i.e. wp-config.php)
    DB config files (i.e. my.cnf)
- Check environment variables
Enumerate OS version for common vulnerabilities
Test for Shellshock exploit
Enumerate sensitive files and folders
- Globally readable/writable files
- Binaries with SUID bit set
Enumerate tasks and processes
- Running processes
- Ask the package manager (apt, dnf, yum, pacman...) for a list of installed software
- Check installed software for vulnerabilities
  - Known CVEs
  - Arbitrary file read/write capabilities
  - Capability to spawn an elevated shell (i.e. SUID + command execution)
  - Application can create sockets
- Check running services
- Check crontab files for scheduled scripts
  - Edit scheduled scripts to execute arbitrary code
  - Check for relative paths in commands
- Expose processes listening on localhost by rerouting traffic through a SSH Reverse Proxy
Enumerate and mount other drives or partitions
Enumerate custom executables/scripts
- Missing library hijack exploit
- Relative path hijack exploit

Previous6667 - IRC NextEnumeration

Last updated 1 year ago

Checklist

Escape from limited shell and/or obtain full functionality
Verify if the current shell is from a docker instance
Get user information
- Can use sudo
  - sudo su or sudo - su
  - Sudo without password
    Sudo rules with wildcards
    Allowed commands can spawn elevated shells
    Sudo version exploits
    LD_PRELOAD exploit
- Readable home folders
  - hidden files
  - bash history
  - .gnupg folder
  - .ssh folder
  - sudo_command_successful
- Docker/lxd groups exploit
- Can switch to another user without password or using other known credentials
- Exploitable service accounts (i.e. apache, cron, ftp...) may allow to gain different/better privileges
- Readable or Writable sensitive files
  - Editable sudoers file
  - Editable passwd file
  - Editable .service files
  - Credentials or config files
    PHP config files (i.e. wp-config.php)
    DB config files (i.e. my.cnf)
- Check environment variables
Enumerate OS version for common vulnerabilities
Test for Shellshock exploit
Enumerate sensitive files and folders
- Globally readable/writable files
- Binaries with SUID bit set
Enumerate tasks and processes
- Running processes
- Ask the package manager (apt, dnf, yum, pacman...) for a list of installed software
- Check installed software for vulnerabilities
  - Known CVEs
  - Arbitrary file read/write capabilities
  - Capability to spawn an elevated shell (i.e. SUID + command execution)
  - Application can create sockets
- Check running services
- Check crontab files for scheduled scripts
  - Edit scheduled scripts to execute arbitrary code
  - Check for relative paths in commands
- Expose processes listening on localhost by rerouting traffic through a SSH Reverse Proxy
Enumerate and mount other drives or partitions
Enumerate custom executables/scripts
- Missing library hijack exploit
- Relative path hijack exploit

Previous6667 - IRC NextEnumeration

Last updated 1 year ago