A list of Linux vulnerability categories
This is an evolving list of Linux vulnerability types I've encountered in various hacking exercises and my reading.
Creds or keys lying around
- anonymous ftp
- anonymous samba
- text files with a person's notes
- config files for apps that need creds
- backup files (sometimes getting at the backups is tricky)
- git repositories (or mercurial, CVS, subversion, ...)
Password hashes lying around
- bad permissions on /etc/shadow
- zip files with passphrases
- password manager vaults with passphrases
- git repo, old commits
Password spraying
- any kind of login interface
- helps to know a username, but kali has
/usr/share/seclists/Usernames/*
, etc. -
hydra
is a popular and flexible spraying tool - watch out for lockouts due to too many failed attempts
Un-authenticated users with too much power
- anonymous ftp, samba, etc.
- guest logins (web, ssh, etc.)
Web
- directory traversal (no "include-and-execute"; just read the files)
- local and remote file inclusion (include-and-execute, as in PHP's
include($_GET('file'))
) - executable file upload
- command injection
- SQL injection
- read contents of database
- write to file with...
- read from file with...
- execute shell command with...
- SQL errors visible or not
- timing attacks
- ...
- Unintentionally exposed files
- .git folder
- findable with
gobuster
or other fuzzing tools (remembergobuster
's flag-x php,txt,pdf,ini,swp,...
)
- Wordpress
- password spray admin login
- upload malicious plugin
- template injection
- cookies easily editable
Users with sudo permissions on specific commands
- if
sudo -l
mentions a command,... - ... check out gtfobins for a way to get shell from that command
Users with permission to run setuid commands
-
find / -perm -u=s -type f 2>/dev/null
to find allsetuid
commands -
grep username /etc/group
to discover which groups a user is in -
find / -group groupname 2>/dev/null
to find files with a given group - sometimes gtfobins helps; sometimes you have to explore
Abusing cron jobs
- see
/etc/cron.d
,/etc/cron.daily
, etc. - which user does each cron job run as?
- do you have read or write permissions on the command being run?
- want to see the actual commands being run? try
pspy64