theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page

Linux Local Recon

Bash History

  • Check the current user's bash history

  • Check every user's bash history after escalating to the root

SSH Key

  • id_rsa

Could be in other name such as bob.key

/home/bob/.ssh/id_rsa could be Alice's private key

  • known_host (Which you can access)

Servers that the current user's private key can access. Could be hashed

  • authorized_key

Clients have been connected to this server as the current user

Credential in config/text files

  • Config file of web app

  • Credential reuse

Database

  • Stored Credentials in table

  • Credential reuse

sudo -l

  • GTFOBins

suid

  • GTFOBins

SSH control master

A ->B: A has a session on B, piggybacking A's access to B

~/.ssh/config or /etc/ssh/ssh_config

Any socket file like kevin@web03:22 in /home/kevin/.ssh/controlmaster

ssh kevin@web03

If logged in as root

ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03

SSH Agent Forwarding

A -> B -> C: A has a session on B, and A's private key can access to both B and C

On B to access C

Normal user

ssh alice@web03

Privileged User

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03

ccache file

  • Contain request Kerberos tickets

/tmp/krb5cc_jack

  • Convert ccache to kirbi file

export KRB5CCNAME=/tmp/krb5cc_george

/etc/krb5.keytab

  • It can be used for Kerberos authentication

keytab file

  • Contain Kerberos principle name and encrypted keys

/tmp/alice.keytab

/etc/crontab

kinit alice@red.com -k -t /tmp/alice.keytab

pspy

  • Hidden cronjobs (Could contain credentials)

/opt/pbis

  • Enumerate domain on Linux

  • Make use of keytab and ccache file

PreviousApplication Whitelisting and CredentialsNextFile Transfer & Execution

Last updated 1 year ago