Back – -
| Protocol/Service | Ports | Purpose |
|---|---|---|
| Apache Web Server | TCP ports 80/443 | Free and open source cross-platform web server released under the Apache License 2.0. Apache accounts for over 80% of web servers globally. |
| SSH (Secure Shell) | TCP ports 22 | SSH is a cryptographic remote access protocol that is used to remotely access and control systems over an unsecured network. SSH was developed as a secure successor to telnet. |
| FTP (File Transfer Protocol) | TCP port 21 | FTP (File Transfer Protocol) is a protocol that uses TCP port 21 and is used to facilitate file sharing between a server and client/clients and vice versa. |
| SAMBA | TCP port 445 | Samba is the Linux implementation of SMB, and allows Windows systems to access Linux shares and devices. |
Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.
() { :; }; <arbitary command>
In order to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash. In the context of an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server.
Use metasploit module exploit/multi/http/apache_mod_cgi_bash_env_exec to exploit shellshock vulnerability.
SAMBA utilizes username and password authentication in order to obtain access to the server or a network share.
smbclient , smbmap , enum4linux
smbmap -H host -u username -p passwordsmbclient //IP:directory -U username.
Use get to download file.A Kernel is a computer program that is the core of an operating system and has complete control over every resource and hardware on a system. It acts as a translation layer between hardware and software and facilitates the communication between these two layers.
Privilege escalation
post/multi/recon/local_exploit_suggestor Metasploit module.
Linux Exploit Suggester Github : https://github.com/mzet-/linux-exploit-suggester
All of the information for all accounts on Linux is stored in the passwd file located in: /etc/passwd
All the encrypted passwords for the users are stored in the shadow file. it can be found in the following directory: /etc/shadow
| Value | Hashing Algorithm |
|---|---|
| $1 | MD5 |
| $2 | Blowfish |
| $5 | SHA-256 |
| $6 | SHA-512 |
Use post/linux/gather/hashdump Use hashdump to get hashesh
Linux implements task scheduling through a utility called Cron.
To list cronjobs crontab -l
Find way to modify cronjob to gain access.
In addition to the three main file access ermissions (read, write and execute), Linux also provides users with specialized permissions that can be utilized in specific situations. One of these access permissions is the SUID (Set Owner User ID) permission.This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary.SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions.
find / -type f -perm -04000 -ls 2>/dev/null