Local Reconnaissance Linux
Bash History
Check the current user's bash history
Check every user's bash history after escalating to the root
SSH Key
id_rsa
Could be in other name such as bob.key
/home/bob/.ssh/id_rsa could be Alice's private key
known_host (Which you can access)
Servers that the current user's private key can access. Could be hashed
authorized_key
Clients have been connected to this server as the current user
Credential in config/text files
Config file of web app
Credential reuse
Database
Stored Credentials in table
Credential reuse
sudo -l
GTFOBins
suid
GTFOBins
SSH control master
A ->B: A has a session on B, piggybacking A's access to B
~/.ssh/config or /etc/ssh/ssh_config
Any socket file like kevin@web03:22 in /home/kevin/.ssh/controlmaster
ssh kevin@web03
If logged in as root
ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03
SSH Agent Forwarding
A -> B -> C: A has a session on B, and A's private key can access to both B and C
On B to access C
Normal user
ssh alice@web03
Privileged User
SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03
ccache file
Contain request Kerberos tickets
/tmp/krb5cc_jack
Convert ccache to kirbi file
export KRB5CCNAME=/tmp/krb5cc_george
/etc/krb5.keytab
It can be used for Kerberos authentication
keytab file
Contain Kerberos principle name and encrypted keys
/tmp/alice.keytab
/etc/crontab
kinit alice@red.com -k -t /tmp/alice.keytab
pspy
Hidden cronjobs (Could contain credentials)
/opt/pbis
Enumerate domain on Linux
Make use of keytab and ccache file
Last updated