For Privilege Access (Linux)
Post

For Privilege Access (Linux)

Find recursively a string:

1
2
3
4
5
6
# Find ETSCTF on every file under the current directory
find . -type f -exec grep -H 'ETSCTF' {} \; 2>/dev/null
# Identify any file (not directory) modified in the last day
find / -mtime -l -type f -uid +0 exec ls -al {} \; 2>/dev/null
# Binaries with user SUID
find / -perm -u=s -type f 2>/dev/null
Capabilities
1
getcap -r / 2>/dev/null

Searching writable directories

1
find / -writable -type d 2>/dev/null
SETUID
1
2
3
find / -perm -4000 2>/dev/null
find / -perm -4000 -type f 2>/dev/null `only executables`
find / -perm -u=s -type f 2>/dev/null

Examples: Epsilon

Sudoers

1
cat /etc/sudoers

Find world-writeable files

1
find / -perm -0002 -type d 2>/dev/null

Check current users

1
sudo access sudo -l

Check permissions for files /root directory

1
ls -als /root/*

Check permissions of dot files/directories

1
ls -als /root/.*

Check for access to users’ .ssh directories

1
ls -als /home/*/.ssh

Check readability of apache/nginx access log

1
2
3
cat /var/log/apache/access.log
cat /var/log/apache2/access.log
cat /var/log/nginx/access.log

Search for “user” and “pass” string in Apache Access Log

1
cat /var/log/apache/access.log |grep -E “^user|^pass”

Dump Wireless Pre-Shared

1
cat /etc/NetworkManager/system-connections/* | grep -E "^id|^psk"

Search for “password” string in conf files

1
grep "password" /etc/*.conf 2> /dev/null

PGP Keys

1
cat /home/*/.gnupg/secrings.gpgs

SSH Keys

1
cat /home/*/.ssh/id*

Show any LDAP, Local or NIS Accounts

1
getent passwd

Dump Samba user Database Information

1
2
pdbedit -L -w
pdbedit -L -v

Kerberos Tickets

1
cat /tmp/krb*

Search for files of .txt extension with name “password”

1
find / -name password*.txt 2> /dev/null