Ceci est une ancienne révision du document !
Since Lucas absconded, we cannot fill his slot with more Lucas-stuff, so we went with something I think will be fun and interactive. (Also as I know nothing about rust or go). This may also help some of you who happen to be studying towards OSCP – but I am not saying it will. See: https://forum.hackthebox.eu/discussion/1730/a-script-kiddie-s-guide-to-passing-oscp-on-your-first-attempt/p1
Depuis que Lucas s'est éclipsé, nous ne pouvons plus remplir cet article avec des choses de Lucas ; aussi, nous sommes passé à quelque chose qui me semble amusant et interactif. (C'est aussi parce que je n'y connais rien à rust et go). Ça aide peut-être aussi certains d'entre vous qui étudieraient pour l'OSCP (Offensive Security Certified Professional, Certificat professionnel en Sécurité offensive) - mais je ne dis pas que ça le fera. Voyez : https://forum.hackthebox.eu/discussion/1730/a-script-kiddie-s-guide-to-passing-oscp-on-your-first-attempt/p1
Last issue, we did a quick overview of permissions on a Linux system. This issue, we will quickly discuss tools. We need to lay some groundwork first, before going to practical. Tools are handy if you do not want to do every last thing by hand. That said, you still need to know your command-line tools (commands). We already looked at ‘id’ and ‘whoami’. You also need to know ‘ifconfig’ and ‘ip’, to see what network interfaces are up. ‘Netstat’, ‘arp’ and ‘route’ (dig?) on those interfaces. Netcat (nc) and ‘iptables’ at least. You also need to know where Linux keeps its configuration files and what applications are installed. You need to know which processes are running (ps). There is no shame in keeping a pocket book or .txt-file on a USB thumb drive for reference!
Dans le dernier numéro, nous avons passé rapidement en revue les permissions dans un système Linux. Aujourd'hui, nous présenterons rapidement les outils. Nous devonsposer les bases d'abord, avant de passer à la pratique. Les outils sont pratiques si vous ne voulez pas faire la moindre chose à la main. Cela dit, vous avez toujours besoin de connaître les outils en ligne de commandes (les commandes). Nous regarderons aussi « id » et « whoami ». Vous devez connaître aussi « ifconfig » et « ip », pour voir quelles interfaces du réseau sont actives. « Netstat », « arp » et « route » (à creuser ?) sur ces interfaces. Netcat (nc) et « iptables » au moins. Vous devrez aussi savoir où Linux conserve ses fichiers de configuration et quelles applications sont installées. Vous aurez àconnaître les les processus qui tournent (ps). Il n' y a aucune honte à se sevir d'un carnet ou d'un fichier .txt ou d'une clé USB comme référence !
CTF or capture the flag, is an outflow of offsec. It creates a safe haven and an outlet for what you have learned (idle hands and all that jazz…). There are distributions brimming with tools, like Kali or blackArch, but I do not want to tie you to a distribution, or make you a skiddie. There are many blogs around the interwebs that you can follow, when it comes to offsec. Here is one: https://offsec.vchur.dk/ They mention an interesting tool, linux enumeration, that is available on github, for your perusal: https://offsec.vchur.dk/2019/02/26/linux-enum/ Don’t stop there; look at all the tools in that list. LinEnum is also particularly useful. Do yourself a favour and copy all those tools to a USB thumb drive. They are tiny, so that old 256MB thumb drive you have no use for, just became useful again!
La « prise de la colline » est un débordement de sécurité. Elle crée un port sûr et un entrepôt pour ce que vous avez appris (l'oisiveté et tout ce bataclan…). Il y a des distributions qui regorgent d'outils, comme Kali ou BlackArch, mais je ne veux pas vous lier avec une distribution, ou faire de vous un apprenti hacker. De nombreux blogs existent dans les sphères du Web que vous pouvez fréquenter, où ils parlent de sécurité. En voici un : https://offsec.vchur.dk/
Un outil intéressant y est mentionné, l'énumération Linux, qui est disponible sur github, à votre disposition : https://offsec.vchur.dk/2019/02/26/linux-enum/
Ne vous arrêtez pas là ; regardez tous les outils de la liste. LinEnum est particulièrement utile. Faîtes-vous une faveur et copiez tous ces outils sur une clé USB. Ils ne sont pas gros ; votre vieille clé USB de 256 Mo dont vous n'avez pas d'usage va redevenir utile !
If you look at this enumeration shell script, you will see it is in bash, unlike most other tools written in Python. This has the benefit of working on a system that does not have python installed. (They say, a bad workman blames his tools, so be sure to read through the script! *I did!). This is about a thousand lines of if-statements. As this is a shell script, a thousand lines can run in a second. I am all for learning the command-line, but I am also lazy. Instead of typing the same stuff over and over, script them. This script is also quite recent and being actively developed. With CTF, you are usually given a low level user/password and have to work your way up. With pen testing, you usually gain the shell by some exploit. The difference here is knowing the account you occupy’s password…
The other part of the equation; the machine to be exploited. You can find one at: https://www.vulnhub.com/ - there are other websites you can find more of these too. I suggest getting a vulnerable Ubuntu or Debian machine, as this is what you know, being a FCM reader. This will boost your confidence and make it easy to start. Like the Hitch-hikers guide says: Don’t panic! I also have to address the elephant in the room. Please use a vulnerable VM and don’t try hacking your local .gov website. We are NOT trying to get you into trouble, but knowledge is power. This goes double for those who pester me on Telegram about this.
So what is Linux privilege escalation all about? First, it’s collecting. (Enumeration), then processing (analysis), then search & refine, then goto 10. Yes, that is the recipe. However, you need to avoid going down a black hole that sucks up all your time and effort. Plan! It may sound convoluted, but have a plan – before you start. Become Santa. Make a list and check it twice.
Where would you start? Good question! The ‘find’ or ‘which’ command can be your friend. You need to know what you are working with. For example: ‘find / -name python*’ or ‘which python’. So we need to look for cc, gcc, python, perl, at least. Maybe put that at the top of your list and work down. There is no surefire way, so trial and error is perfectly acceptable. See if you can access or read some of the common locations. Always read the user’s history file. (history). Look for mounted file systems or unusual ones (df). Etcetera, etcetera. Mundane things, like ‘cron’, can be a goldmine! Make a list as you go along and refine that list. Check for things like ‘curl’ and ‘wget’ and ‘nc’ that allow you to transfer files, if you do not have what you need. (Like the bash script above). Your toolbox is the shell itself. SSH is as valid to your PC as it is to that PC. It is advisable to create an archive of your enumeration and send it to an offline PC where you can work on your ‘intel’ at your own pace. There may be commands you have never used (mknod), that you need to brush up on. As they say, all is fair in love and war. Practice makes perfect?
Now for some online reading: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html https://payatu.com/guide-linux-privilege-escalation https://www.sans.org/reading-room/whitepapers/linux/paper/37562
Yes, you have to read those, it will give you ideas and get you in the right mindset. I am not linking the gotmilk (g0tmi1k) website as it is linked in one of those pages, but go there. Pay attention to the commands being used, you need to know those in your sleep. Notice that advice on (Linux) privilege escalation is not structured. There seems to be no pattern. However, you need to make a recipe that works for you. Next issue we will look at some practical! I will give you a lot more links then. Complaints or comments? Yes, I am a scatterbrain. E-mail us: misc@fullcirclemagazine.org