Linux Local Recon

Bash History

Check the current user's bash history
Check every user's bash history after escalating to the root

SSH Key

id_rsa

Could be in other name such as bob.key

/home/bob/.ssh/id_rsa could be Alice's private key

known_host (Which you can access)

Servers that the current user's private key can access. Could be hashed

authorized_key

Clients have been connected to this server as the current user

Credential in config/text files

Config file of web app
Credential reuse

Database

Stored Credentials in table
Credential reuse

sudo -l

GTFOBins

suid

GTFOBins

SSH control master

A ->B: A has a session on B, piggybacking A's access to B

~/.ssh/config or /etc/ssh/ssh_config

Any socket file like kevin@web03:22 in /home/kevin/.ssh/controlmaster

ssh kevin@web03

If logged in as root

ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03

SSH Agent Forwarding

A -> B -> C: A has a session on B, and A's private key can access to both B and C

On B to access C

Normal user

ssh alice@web03

Privileged User

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03

ccache file

Contain request Kerberos tickets

/tmp/krb5cc_jack

Convert ccache to kirbi file

export KRB5CCNAME=/tmp/krb5cc_george

/etc/krb5.keytab

It can be used for Kerberos authentication

keytab file

Contain Kerberos principle name and encrypted keys

/tmp/alice.keytab

/etc/crontab

kinit [email protected] -k -t /tmp/alice.keytab

pspy

Hidden cronjobs (Could contain credentials)

/opt/pbis

Enumerate domain on Linux
Make use of keytab and ccache file

PreviousApplication Whitelisting and Credentials NextFile Transfer & Execution

Last updated 1 year ago

hashtagBash History

hashtagSSH Key

hashtagDatabase

hashtagsudo -l

hashtagSSH control master

hashtagccache file

hashtag/etc/krb5.keytab

hashtagkeytab file

hashtagpspy

hashtag/opt/pbis