Local Reconnaissance Linux

Bash History

  • Check the current user's bash history

  • Check every user's bash history after escalating to the root

SSH Key

  • id_rsa

Could be in other name such as bob.key

/home/bob/.ssh/id_rsa could be Alice's private key

  • known_host (Which you can access)

Servers that the current user's private key can access. Could be hashed

  • authorized_key

Clients have been connected to this server as the current user

Credential in config/text files

  • Config file of web app

  • Credential reuse

Database

  • Stored Credentials in table

  • Credential reuse

sudo -l

  • GTFOBins

suid

  • GTFOBins

SSH control master

A ->B: A has a session on B, piggybacking A's access to B

~/.ssh/config or /etc/ssh/ssh_config

Any socket file like kevin@web03:22 in /home/kevin/.ssh/controlmaster

ssh kevin@web03

If logged in as root

ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03

SSH Agent Forwarding

A -> B -> C: A has a session on B, and A's private key can access to both B and C

On B to access C

Normal user

ssh alice@web03

Privileged User

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03

ccache file

  • Contain request Kerberos tickets

/tmp/krb5cc_jack

  • Convert ccache to kirbi file

export KRB5CCNAME=/tmp/krb5cc_george

/etc/krb5.keytab

  • It can be used for Kerberos authentication

keytab file

  • Contain Kerberos principle name and encrypted keys

/tmp/alice.keytab

/etc/crontab

kinit alice@red.com -k -t /tmp/alice.keytab

pspy

  • Hidden cronjobs (Could contain credentials)

/opt/pbis

  • Enumerate domain on Linux

  • Make use of keytab and ccache file

PreviousApplication Whitelisting & CredentialsNextAnsible

Last updated