Hello there, i am studying IT security at the university and among my classmates hackthebox became quite trendy. For the first time, i managed to get past recon and got a shell. As i am collecting a record of good practices and commands to run while pentesting, my question is:
what do you look for, what steps you plan, what commands you surely run/try to run once you got a shell but no passwords?
this is a list of what i currently have:
kernel version (uname -a)
env
whoami
history
who
w
last
sudo -l (sudo less -->!/bin/bash) (sudo find /var/log -exec -/bin/bash -i
ifconfig -a netstat -antup
lsof -i
find / -perm -u=s -type f 2>/dev/null
dmesg
journalctl
As you might have already figured out, i got some info by running those commands but nothing that led me to the path to user’s pw.
For a better picture Google and run these tools for general enumeration and finding misconfigurations or exploits:
LinEnum, linux-smart-enumeration, linuxprivchecker.py
You can enum cronjobs using the tool pspy
Check the kernel version and Google for exploits, check webserver’s configuration files for creds or ssh keys, the bash_history files for leftover data and in general what looks out of place or interesting!
sudo -l
then i run the scripts mentioned by dachef
pay attention to suid files
check the weird ones on gtfobins
pspy to see what crons run and get a general idea if there is a way to root from there.
Generally from what i have seen so far the easy and medium linux machines are a mix of service misconfiguration, loose perms on executables, config files and folders, left-over keys or plain text creds in normal and backup files as well as sudo permisions on various executables.
The hard linux machines (at least the 3 of them that i have done so far) are of the same mindset but require way more enumeration and ‘back and forth’ to gather more information. Also their exploitation techniques are usually more a bit more advanced.
Thank you for the answers. I’ve spent some time testing out your resources/advice and made some progresses. Could feel overwhelming to dig through docs but thank you again for helping me going forward
