During a penetration test, there are many questions that you’ll need to ask yourself. Too often, blogs that I read discuss the commands that we need to run to collect information from our target, but too often don’t go far enough to explain the questions we should be asking as we’re collecting this data or running our scripts. I want to take this opportunity to discuss why we’re looking for certain information and types of questions we should be asking ourselves along the way.
The data we’re collecting here is from a combination of the following sources:
- Basic Linux Privilege Escalation by g0tm1lk
- LinEnum from RebootUser
Operating System
Distribution / Version
When we use commands such as
cat /etc/issue
cat /etc/*-release
we’re getting information such as:
d3c3pt10n@ub16:~# cat /etc/issue
Ubuntu 16.04.3 LTS \n \l
d3c3pt10n@ub16:~# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
So with this information, what questions should we be asking ourselves? What should we be searching for?
- Are there any well known vulnerabilities for this operating system version?
- What is the codename, are any exploits using that name instead of the version number?
- What format are package names in on this operating system? For example, if we need the version of libssl development libraries, should we be searching for libssl-dev (Debian style), openssl-devel (RHEL style) or something else?
- If we are on a new OS, where can we potentially read about new bugs (e.g. Ubuntu’s launchpad bug tracker).
Kernel Information
Because of the importance of the kernel to our system, we need to know as much as we can about it. g0tm1lk suggests:
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
With this, we can get information such as:
d3c3pt10n@ub16:~# cat /proc/version
Linux version 4.4.0-101-generic (buildd@lcy01-amd64-006) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) ) #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017
d3c3pt10n@ub16:~# uname -a
Linux ub16 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
d3c3pt10n@ub16:~# ls /boot | grep vmlinuz-
vmlinuz-4.4.0-101-generic
vmlinuz-4.4.0-98-generic
From here we have a few very important things to take note of:
- What architecture is the kernel? Is it i386 (32-bit) or x86_64 (64-bit)?
- What version is the kernel? Are there any exploits that target this version and architecture?
- Is our initial foothold leveraging the same architecture as the target? If not, can we acquire a new shell using the correct architecture?
- What versions of vmlinuz exist? As vmlinuz is the actual kernel file, can we potentially leverage an older one that is on the system?