b0ysie7e

Appearance

Enumeration

Enumeración de procesos

c
$ ps aux | grep root
<SNIP>
c
$ ps au

Home Directory Contents

c
$ ls /home
c
$ ls -la /home/stacey.jenkins/

SSH Directory Contents

c
$ ls -l ~/.ssh

Bash History

c
$ history

Sudo - List User's Privileges

c
$ sudo -l

Passwd

c
$ cat /etc/passwd

Cron Jobs

c
$ ls -la /etc/cron.daily/

File Systems & Additional Drives

c
$ lsblk

Find Writable Directories

c
$ find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

Find Writable Files

c
$ find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

Environment Enumeration

c
$ cat /etc/os-release
c
$ echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
c
$ env

SHELL=/bin/bash
PWD=/home/htb-student
LOGNAME=htb-student
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/htb-student
LANG=en_US.UTF-8

<SNIP>
c
$ uname -a

Linux nixlpe02 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
c
$ lscpu 

Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   43 bits physical, 48 bits virtual
CPU(s):                          2
On-line CPU(s) list:             0,1
Thread(s) per core:              1
Core(s) per socket:              2
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       AuthenticAMD
CPU family:                      23
Model:                           49
Model name:                      AMD EPYC 7302P 16-Core Processor
Stepping:                        0
CPU MHz:                         2994.375
BogoMIPS:                        5988.75
Hypervisor vendor:               VMware

<SNIP>
c
$ cat /etc/shells

# /etc/shells: valid login shells
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
/usr/bin/tmux
/usr/bin/screen
c
$ lsblk

NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0                       7:0    0   55M  1 loop /snap/core18/1705
loop1                       7:1    0   69M  1 loop /snap/lxd/14804
loop2                       7:2    0   47M  1 loop /snap/snapd/16292
loop3                       7:3    0  103M  1 loop /snap/lxd/23339
loop4                       7:4    0   62M  1 loop /snap/core20/1587
loop5                       7:5    0 55.6M  1 loop /snap/core18/2538
sda                         8:0    0   20G  0 disk 
├─sda1                      8:1    0    1M  0 part 
├─sda2                      8:2    0    1G  0 part /boot
└─sda3                      8:3    0   19G  0 part 
  └─ubuntu--vg-ubuntu--lv 253:0    0   18G  0 lvm  /
sr0                        11:0    1  908M  0 rom
c
$ cat /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/dm-uuid-LVM-BdLsBLE4CvzJUgtkugkof4S0dZG7gWR8HCNOlRdLWoXVOba2tYUMzHfFQAP9ajul / ext4 defaults 0 0
# /boot was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/20b1770d-a233-4780-900e-7c99bc974346 /boot ext4 defaults 0 0
c
$ route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 ens192
10.129.0.0      0.0.0.0         255.255.0.0     U     0      0        0 ens192
c
$ arp -a

_gateway (10.129.0.1) at 00:50:56:b9:b9:fc [ether] on ens192

Existing Users

c
$ cat /etc/passwd
c
$ cat /etc/passwd | cut -f1 -d:

...SNIP...
c
$ grep "*sh$" /etc/passwd

Existing Groups

c
$ cat /etc/group

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
c
$ getent group sudo
c
$ ls /home

Mounted File Systems

c
$ df -h

Unmounted File Systems

c
$ cat /etc/fstab | grep -v "#" | column -t

All Hidden Files

c
$ find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep user

All Hidden Directories

c
$ find / -type d -name ".*" -ls 2>/dev/null

Temporary Files

c
$ ls -l /tmp /var/tmp /dev/shm

Linux Services & Internals Enumeration

Internals

Network Interfaces

c
$ ip a

Hosts

c
$ cat /etc/hosts

User's Last Login

c
$ lastlog

Logged In Users

c
$ w

Command History

c
$ history

Finding History Files

c
$ find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

Cron

c
$ ls -la /etc/cron.daily/

Proc

c
$ find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

Services

Installed Packages

c
$ apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

Sudo Version

c
$ sudo -V

Binaries

c
$ ls -l /bin /usr/bin/ /usr/sbin/

GTFObins

c
$ for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

Trace System Calls

c
$ strace ping -c1 10.129.112.20

Configuration Files

c
$ find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

Scripts

c
$ find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"

Running Services by User

c
$ ps aux | grep root

Credential Hunting

c
$ cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'
c
$  find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

SSH Keys

shell-session
$  ls ~/.ssh