Manual Privilege ESC Enumeration

The_leman_provider
7 min readAug 24, 2023

--

Always look on both the sides blue/red

Introduction

This particular blog will provide an impactful and manual way of enumerating a machine after obtaining a dumb or a stable shell. This blog will even stuff you or will feed you with more than enough info regarding how the file system works in Linux and what we will take advantage of from the machine that is under our hands.

It can be called an after-shell enumeration which is done with the intention of leveraging to a better privileged environment. This report will serve as a cheat sheet for that purpose.

Execution Requirements / Environment of Choice

So why go with the manual approach? even though there are a lot of automated scripts available online that can do the work for you with a high level of efficiency, well these scripts are great when dealing with Capture the Flag and all other challenges but in real environments where there are actual security auditors and firewalls, these scripts make a lot of noise can be captured easily by them, so this gives us the reason to learn more about the manual stuff.

Yes, having a shell to enumerate the machine is necessary as we need it as our minimal way of interacting with the machine. You can perform this command on your machine as well just to go through your environment to have a practical application on it.

What Does Linux response for the command “ls” or “ls-la” actually mean?

So let us get started with how Linux makes a file and its permissions look to us.

When executing the well-known and most used command “ls” or even “ls-la” we get output something like this. This representation is essential for us as the understanding of this response will favor us in finding an exact way to use that file to get our foothold before actually escalating the privilege.

“ls”

the ls command will return us with the list of existing files and directories on the system which is fair and easy to understand but when executed the “ls — la command”

“ls — la”

this digs out some more info to your screen. This is the part that is important according to our perspective. Let’s break it down and understand it. As you can see from the response the start of the line tells us about permission given to that file or directory right !? but then y there are 2 presences of the same permission that is what we will discuss, let's take only one line from the response for our view and break it down.

The first 2 characters “rw” are for the root user which means the root user has permission to read and write to the file.

The second “r” is permission given to all the users on the system is every user can read the file.

The third “r” is permission given to all the users in a group.

The “-” are empty spaces for the permission that can be given to the file for a user on the system or a group. It can be replaced by some other initials such as “x” “w” or an “r”.

But the leftmost first “-” is different it is replaced by many initials such as “d”(directory) “l”(has a symbolic link) “s”(setuid or a stegid is set to this file ) “t” (stick bit set).

So with this break down now we have enough understanding of the file system environment and we will also be able to understand what file permissions mean before using them in our favor.

Beginning of enumeration.

So In this section, we will discuss two different ways and even purposes of enumerating a machine

1: Purpose to enumerate for privilege escalation

2: Enumerate the network for pivoting to a better or more internal section of the network.

To escalate privileges: 🔝🔒

# sudo — l:-

⚫This command in particular will provide you with enough information for the individual users you are invoking/accessing at the movement. This command will list out the command that can be executed as a super user without any password requirement.

⚫So you may ask what help will it provide to us to list out such commands, much time This sudo access is given to the users for a limited execution time but many times kept as it is which help a threat actor to use those command in his favor to get access and escalated either horizontal or vertically.

⚫ For example, if a user or employee was allowed to execute the Nmap command using sudo access which was supposed to be taken back after the purpose has been served but sometimes they are kept as it is, we take this as an opportunity, You can find an exploit or a one-liner to convert your shell to a root shell.

# Id :-

⚫ The id command will tell the invoked user IDs such as uid (user ID) gid (group ID) and the group’s ID. The accounts with user IDs above 1000 are not default users they are added to the system. The user ID “0" is reserved for the root and can be given to the user as providing them with sudo or super privilege on demand.

⚫Now how is this helpful to us, Many a time you will identify a group that is not so common or say they are different than usual, such groups can be exploited with some basic installations or exploits that can loaded on the system using the shell access.

#find command:-

⚫ A find command shares close similarity to a grep command but most likely fetches the file we demand from the machine. It is a really handy command that can reduce the headache of moving to each directory to find a particular file you need.

Some useful examples are:-

1: command to find all files for a particular user you need in the home directory.

find /home -user frank

2: command to find files that have permission to read, write, and execute by all the users on the system.

find / -type f -perm 0777

3: command to find all the executable files on the machine.

find / -perm a=x

4: command to find recently accessed or modified

find / -mtime 10  #the m means modified 
find / -atime 10 #the a means accessed

#10 means "in recent 10 days "

5: command to find sudi files

 find / -user root -perm /4000

6: command to find a specific file with its name

find / -type d -name filename

7: command to find files with specific size

find / -size 50M  #files size of 50MB

#NOTE:- You can add this to every command specified above at the end to get only successful responses and no failure alerts.

                           2>/dev/null

for example:-

find / -size 50M  2>/dev/null

This is it for the manual stuff but not everything is covered I will post one more blog or something like a cheat sheet for multiple related topics such as capabilities, variables, paths, SUID, and some more.

2: Enumerate the network 🌐 for pivoting

Pivoting means getting access to the internal section of the machine network or something like moving to another network that is connected to the current machine via a router. This means we need control of the network that is connected to our current accessible machine so for that some things to find out thats what we will look after here.

# Knowing which networks are connected. 🔌💻📶:-

⚫ A well-known command is enough to check which networks are present in the system.

ifconfig

As for now you halfway access the machine You can you the command which will show you all the networks present on the system. Something like this.

It shows we have three interfaces on the machine at the movement but still, we don't have any idea which one is connected or which one is accessible to us from our invoked system. To check that we can use the following command.

ip route 

# I would suggest using the 🕵️‍♂️ netstat tool on Linux to gather additional information.

I will provide the most informative can commonly used nestat commands here feel free to copy them according to your need and application.

1: To check which interface we found from the ifconfig command is more active or which interface is being used frequently

netstat -i

output:-

It seems that there is an increase in the usage of eth0.

2: To check for all the listening ports we can you the following command

netstat -l

3: To list all the TCP and UDP ports we use this command

netstat -at #for tcp 

netstat -au #for udp

4: To list all the ports and also the names of the services and their PIDs using them you can use this command

netstat -tp

So all done so far, So here we can conclude that we can extract enough info which will help us to escalate our privileges to the designated levels we want.

Make sure You use These practices only for learning purposes and don't implement them in such a manner that will harm an individual in any way

That’s it from my side pals, If I get to learn some more about such content I will make sure you put it here in a short LEMAN language.

Arigatio for going through my write up make user to update me if I went wrong somewhere.

Bye mata ne

--

--