Skip to main content

Pen-Testing Comps, Winter 2024

A list of Linux vulnerability categories

Jeff Ondich

This is an evolving list of Linux vulnerability types I've encountered in various hacking exercises and my reading.

Creds or keys lying around

  • anonymous ftp
  • anonymous samba
  • text files with a person's notes
  • config files for apps that need creds
  • backup files (sometimes getting at the backups is tricky)
  • git repositories (or mercurial, CVS, subversion, ...)

Password hashes lying around

  • bad permissions on /etc/shadow
  • zip files with passphrases
  • password manager vaults with passphrases
  • git repo, old commits

Password spraying

  • any kind of login interface
  • helps to know a username, but kali has /usr/share/seclists/Usernames/*, etc.
  • hydra is a popular and flexible spraying tool
  • watch out for lockouts due to too many failed attempts

Un-authenticated users with too much power

  • anonymous ftp, samba, etc.
  • guest logins (web, ssh, etc.)

Web

  • directory traversal (no "include-and-execute"; just read the files)
  • local and remote file inclusion (include-and-execute, as in PHP's include($_GET('file')))
  • executable file upload
  • command injection
  • SQL injection
    • read contents of database
    • write to file with...
    • read from file with...
    • execute shell command with...
    • SQL errors visible or not
    • timing attacks
    • ...
  • Unintentionally exposed files
    • .git folder
    • findable with gobuster or other fuzzing tools (remember gobuster's flag -x php,txt,pdf,ini,swp,...)
  • Wordpress
    • password spray admin login
    • upload malicious plugin
  • template injection
  • cookies easily editable

Users with sudo permissions on specific commands

  • if sudo -l mentions a command,...
  • ... check out gtfobins for a way to get shell from that command

Users with permission to run setuid commands

  • find / -perm -u=s -type f 2>/dev/null to find all setuid commands
  • grep username /etc/group to discover which groups a user is in
  • find / -group groupname 2>/dev/null to find files with a given group
  • sometimes gtfobins helps; sometimes you have to explore

Abusing cron jobs

  • see /etc/cron.d, /etc/cron.daily, etc.
  • which user does each cron job run as?
  • do you have read or write permissions on the command being run?
  • want to see the actual commands being run? try pspy64