Welcome back to the blog series about how to hack a box! In the past few blogs we’ve gone through a few steps which gives you an idea of how you can hack a box. We went from the Introduction, to Exploration, to Gaining Access. In this blog, we’ll cover the basics of Enumeration.

DISCLAIMER: Never attempt to execute one of these steps on a machine where you don’t have explicit permission for from the owner. This is illegal and will get you in trouble.

Enumeration

Enumeration is very similar to the exploration step: you’re gathering information about the system. Although this is a definition I use myself and is probably not an industry standard, the key difference between exploration and enumeration is you explore externally and enumerate internally.

Since we already have gained access to the target machine, our angle of attack is different when comparing to exploration. There’s still a lot of ground to cover though. We’ll focus on the basics for now, as advanced enumeration is a blog worth of its own. The goal here is gathering enough information to be able to Escalate our Privileges[1] on the Blocky box.

How to

There are a lot of things you want to check. A basic (not exhaustive) list which we’ll go through today:

  • Visible files to the current user

  • File permissions

  • Background jobs

  • Running processes and their owner

  • Open ports

  • OS and kernel versions

  • Access rights for the current user

For each item listed above, check if it’s a common item for the Operating System (OS). You need to ask yourself if the item is (mis)usable. For example you could think about a cron job running a Bash script as root every minute, while the Bash script is writeable by you. Or a script which is executed by root and uses a wildcard as a parameter[2].

Enumeration is only about gathering information, not altering the state of the machine by changing Bash scripts or running kernel exploits.

You can use scripts to automate the process of enumeration a bit, but you still need to know what you are looking for and how you can do so. For me, this is still something I struggle with myself as I’m still learning to get the feeling.

Let’s check the list above on our Blocky machine. Do note this is a Linux machine. While the thought process is the same for all OS’s, the things you need to look for and the tools you can use vary.

Enumerating files

I always start with looking around on the filesystem. Places I commonly look for on *nix are:

  • /home

  • /opt

  • /tmp

  • /

When we look at Blocky, only /home seems to contain interesting files. /opt is empty, and both /tmp and / don’t contain any files of interest.

notch@Blocky:~$ ls -alh /home/notch
total 48K
drwxr-xr-x 5 notch notch 4.0K Jul  2  2017 .
drwxr-xr-x 3 root  root  4.0K Jul  2  2017 ..
-rw------- 1 notch notch    1 Dec 24  2017 .bash_history
-rw-r--r-- 1 notch notch  220 Jul  2  2017 .bash_logout
-rw-r--r-- 1 notch notch 3.7K Jul  2  2017 .bashrc
drwx------ 2 notch notch 4.0K Jul  2  2017 .cache
drwxrwxr-x 7 notch notch 4.0K Jul  2  2017 minecraft
-rw------- 1 root  root   369 Jul  2  2017 .mysql_history
drwxrwxr-x 2 notch notch 4.0K Jul  2  2017 .nano
-rw-r--r-- 1 notch notch  655 Jul  2  2017 .profile
-rw-rw-r-- 1 notch notch   66 Jul  2  2017 .selected_editor
-rw-r--r-- 1 notch notch    0 Jul  2  2017 .sudo_as_admin_successful
-r-------- 1 notch notch   32 Jul  2  2017 user.txt

Normally the .bash_history file is of interest, because it contains all the commands that a user executed. In this case however, it’s empty. Another interesting folder is minecraft. After going through it, it seems to be a Minecraft server without anything interesting to see.

One more thing you can see is the .sudo_as_admin_successful file. This means that the notch user has successfully used sudo, which is used to execute commands as another user, like root. Let’s write this one down. Looking at the file permissions, we see a file .mysql_history which is owned by root. This might indicate that notch used sudo to open a MySQL CLI as root.

We can also for example look for files that we own, outside of the /home directory.

notch@Blocky:~$ find / -user notch -type f ! -path "/proc/*" ! -path "/sys/*" ! -path "/home/notch/*" 2> /dev/null
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/init.scope/tasks
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/init.scope/cgroup.procs
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/init.scope/cgroup.clone_children
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/init.scope/notify_on_release
/tmp/libnetty-transport-native-epoll6671581788031531016.so
/tmp/hsperfdata_notch/1193

This results in nothing much of interest for this box.

Last but not least, in *nix there is a SUID (Set UID) and SGID (Set GID) flag for file permissions. This allows a user to execute a file with the permissions of the owning user or group. If a file is owned by root, and has the SUID/SGID flag set, you can execute that file with root permissions. By default, there are some files which have this flag set but are well protected against malicious usage.

To search for files with the SUID flag, you can execute the following command:

notch@Blocky:~$ find / -perm -4000 -type f 2>/dev/null
/bin/su
/bin/fusermount
/bin/mount
/bin/ping
/bin/umount
/bin/ping6
/bin/ntfs-3g
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device

To search for files with the SGID flag, you can execute the following command:

notch@Blocky:~$ find / -perm -2000 -type f 2>/dev/null
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
/usr/bin/screen
/usr/bin/ssh-agent
/usr/bin/at
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/wall
/usr/bin/mlocate
/usr/bin/chage
/usr/bin/expiry
/usr/lib/x86_64-linux-gnu/utempter/utempter

Finally, to search for files that have both the SUID and SGID flags set:

notch@Blocky:~$ find / -perm -6000 -type f 2>/dev/null
/usr/bin/at

The results that you see above are fairly standard, so nothing of interest here.

Let’s check the background jobs.

Enumerating background jobs

On *nix, crontab is the default tool for running background jobs. To show all cron jobs (background job in crontab) for the current user, run the following command:

notch@Blocky:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command

@reboot cd /home/notch/minecraft && ./start.sh

When checking the content of the file /home/notch/minecraft/start.sh, we see the following:

if ! screen -list | grep blockycraft > /dev/null
then
        screen -dmS blockycraft java -Xms500M -Xmx500M -jar ./sponge.jar nogui
fi

Here we can see that the Minecraft server is started automatically on every reboot in a detached screen session. This could be useful, so let’s write this down.

We’re not only interested in the cron jobs of the current user, but we want to enumerate jobs of other users as well. This can partly be done with the following command:

notch@Blocky:~$ ls -alh /etc/cron.*
/etc/cron.d:
total 24K
drwxr-xr-x   2 root root 4.0K Jul  2  2017 .
drwxr-xr-x 101 root root 4.0K Jul 16  2017 ..
-rw-r--r--   1 root root  589 Jul 16  2014 mdadm
-rw-r--r--   1 root root  670 Mar  1  2016 php
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rw-r--r--   1 root root  190 Jul  2  2017 popularity-contest

/etc/cron.daily:
total 60K
drwxr-xr-x   2 root root 4.0K Jul  2  2017 .
drwxr-xr-x 101 root root 4.0K Jul 16  2017 ..
-rwxr-xr-x   1 root root  539 Apr  5  2016 apache2
-rwxr-xr-x   1 root root  376 Mar 31  2016 apport
-rwxr-xr-x   1 root root 1.5K Jan 17  2017 apt-compat
-rwxr-xr-x   1 root root  355 May 22  2012 bsdmainutils
-rwxr-xr-x   1 root root 1.6K Nov 26  2015 dpkg
-rwxr-xr-x   1 root root  372 May  5  2015 logrotate
-rwxr-xr-x   1 root root 1.3K Nov  6  2015 man-db
-rwxr-xr-x   1 root root  539 Jul 16  2014 mdadm
-rwxr-xr-x   1 root root  435 Nov 18  2014 mlocate
-rwxr-xr-x   1 root root  249 Nov 12  2015 passwd
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root 3.4K Feb 26  2016 popularity-contest
-rwxr-xr-x   1 root root  214 May 24  2016 update-notifier-common

/etc/cron.hourly:
total 12K
drwxr-xr-x   2 root root 4.0K Jul  2  2017 .
drwxr-xr-x 101 root root 4.0K Jul 16  2017 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder

/etc/cron.monthly:
total 12K
drwxr-xr-x   2 root root 4.0K Jul  2  2017 .
drwxr-xr-x 101 root root 4.0K Jul 16  2017 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder

/etc/cron.weekly:
total 24K
drwxr-xr-x   2 root root 4.0K Jul  2  2017 .
drwxr-xr-x 101 root root 4.0K Jul 16  2017 ..
-rwxr-xr-x   1 root root   86 Apr 13  2016 fstrim
-rwxr-xr-x   1 root root  771 Nov  6  2015 man-db
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root  211 May 24  2016 update-notifier-common

Do note this doesn’t show all cron jobs scheduled by root, because they’re stored in the home directory /root. You can see a lot of stuff in the output above. It simply takes experience in the OS to be able to see what’s default and what is not. A good place to start is simply Google the elements and try to understand what they do.

Next, we can check the running processes and their owner.

Enumerating running processes

To enumerate all running processes, execute the following command:

notch@Blocky:~$ ps -aux
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root          1  0.3  0.2  37828  5920 ?        Ss   11:58   0:04 /sbin/init
root          2  0.0  0.0      0     0 ?        S    11:58   0:00 [kthreadd]
root          3  0.0  0.0      0     0 ?        S    11:58   0:00 [ksoftirqd/0]
root          5  0.0  0.0      0     0 ?        S<   11:58   0:00 [kworker/0:0H]
root          7  0.0  0.0      0     0 ?        S    11:58   0:00 [rcu_sched]
root          8  0.0  0.0      0     0 ?        S    11:58   0:00 [rcu_bh]
root          9  0.0  0.0      0     0 ?        S    11:58   0:00 [migration/0]
root         10  0.0  0.0      0     0 ?        S    11:58   0:00 [watchdog/0]
root         11  0.0  0.0      0     0 ?        S    11:58   0:00 [kdevtmpfs]
root         12  0.0  0.0      0     0 ?        S<   11:58   0:00 [netns]
root         13  0.0  0.0      0     0 ?        S<   11:58   0:00 [perf]
root         14  0.0  0.0      0     0 ?        S    11:58   0:00 [khungtaskd]
root         15  0.0  0.0      0     0 ?        S<   11:58   0:00 [writeback]
root         16  0.0  0.0      0     0 ?        SN   11:58   0:00 [ksmd]
root         17  0.0  0.0      0     0 ?        SN   11:58   0:00 [khugepaged]
root         18  0.0  0.0      0     0 ?        S<   11:58   0:00 [crypto]
root         19  0.0  0.0      0     0 ?        S<   11:58   0:00 [kintegrityd]
root         20  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         21  0.0  0.0      0     0 ?        S<   11:58   0:00 [kblockd]
root         22  0.0  0.0      0     0 ?        S<   11:58   0:00 [ata_sff]
root         23  0.0  0.0      0     0 ?        S<   11:58   0:00 [md]
root         24  0.0  0.0      0     0 ?        S<   11:58   0:00 [devfreq_wq]
root         28  0.0  0.0      0     0 ?        S    11:58   0:00 [kswapd0]
root         29  0.0  0.0      0     0 ?        S<   11:58   0:00 [vmstat]
root         30  0.0  0.0      0     0 ?        S    11:58   0:00 [fsnotify_mark]
root         31  0.0  0.0      0     0 ?        S    11:58   0:00 [ecryptfs-kthrea]
root         47  0.0  0.0      0     0 ?        S<   11:58   0:00 [kthrotld]
root         48  0.0  0.0      0     0 ?        S<   11:58   0:00 [acpi_thermal_pm]
root         49  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         50  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         51  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         52  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         53  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         54  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         55  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         56  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         57  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         58  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         59  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         60  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         61  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         62  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         63  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         64  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         65  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         66  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         67  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         68  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         69  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         70  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         71  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         72  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root         73  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_0]
root         74  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_0]
root         75  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_1]
root         76  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_1]
root         82  0.0  0.0      0     0 ?        S<   11:58   0:00 [ipv6_addrconf]
root         95  0.0  0.0      0     0 ?        S<   11:58   0:00 [deferwq]
root         96  0.0  0.0      0     0 ?        S<   11:58   0:00 [charger_manager]
root        142  0.0  0.0      0     0 ?        S    11:58   0:00 [kworker/0:2]
root        145  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_2]
root        146  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_2]
root        147  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_3]
root        148  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_3]
root        149  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_4]
root        150  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_4]
root        151  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_5]
root        152  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_5]
root        153  0.0  0.0      0     0 ?        S<   11:58   0:00 [kpsmoused]
root        154  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_6]
root        155  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_6]
root        156  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_7]
root        157  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_7]
root        158  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_8]
root        159  0.0  0.0      0     0 ?        S<   11:58   0:00 [ttm_swap]
root        160  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_8]
root        161  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_9]
root        162  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_9]
root        163  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_10]
root        164  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_10]
root        165  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_11]
root        166  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_11]
root        168  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_12]
root        172  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_12]
root        174  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_13]
root        176  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_13]
root        181  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_14]
root        183  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_14]
root        185  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_15]
root        192  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_15]
root        193  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_16]
root        196  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_16]
root        201  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_17]
root        204  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_17]
root        207  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_18]
root        212  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_18]
root        215  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_19]
root        218  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_19]
root        219  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_20]
root        224  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_20]
root        226  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_21]
root        227  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_21]
root        229  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_22]
root        231  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_22]
root        232  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_23]
root        234  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_23]
root        235  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_24]
root        236  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_24]
root        237  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_25]
root        238  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_25]
root        239  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_26]
root        240  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_26]
root        241  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_27]
root        242  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_27]
root        243  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_28]
root        244  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_28]
root        245  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_29]
root        246  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_29]
root        247  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_30]
root        248  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_30]
root        249  0.0  0.0      0     0 ?        S    11:58   0:00 [scsi_eh_31]
root        250  0.0  0.0      0     0 ?        S<   11:58   0:00 [scsi_tmf_31]
root        275  0.0  0.0      0     0 ?        S    11:58   0:00 [kworker/u256:28]
root        279  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        281  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        282  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        289  0.0  0.0      0     0 ?        S<   11:58   0:00 [kworker/0:1H]
root        357  0.0  0.0      0     0 ?        S<   11:58   0:00 [raid5wq]
root        382  0.0  0.0      0     0 ?        S<   11:58   0:00 [kdmflush]
root        383  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        393  0.0  0.0      0     0 ?        S<   11:58   0:00 [kdmflush]
root        394  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        410  0.0  0.0      0     0 ?        S<   11:58   0:00 [bioset]
root        438  0.0  0.0      0     0 ?        S    11:58   0:00 [jbd2/dm-0-8]
root        439  0.0  0.0      0     0 ?        S<   11:58   0:00 [ext4-rsv-conver]
root        508  0.0  0.1  29728  3132 ?        Ss   11:58   0:00 /lib/systemd/systemd-journald
root        518  0.0  0.0      0     0 ?        S    11:58   0:00 [kauditd]
root        520  0.0  0.0 102972  1620 ?        Ss   11:58   0:00 /sbin/lvmetad -f
root        540  0.0  0.2  44776  4252 ?        Ss   11:58   0:00 /lib/systemd/systemd-udevd
root        651  0.0  0.0      0     0 ?        S<   11:58   0:00 [iscsi_eh]
root        653  0.0  0.0      0     0 ?        S<   11:58   0:00 [ib_addr]
root        658  0.0  0.0      0     0 ?        S<   11:58   0:00 [ib_mcast]
root        660  0.0  0.0      0     0 ?        S<   11:58   0:00 [ib_nl_sa_wq]
root        663  0.0  0.0      0     0 ?        S<   11:58   0:00 [ib_cm]
root        664  0.0  0.0      0     0 ?        S<   11:58   0:00 [iw_cm_wq]
root        675  0.0  0.0      0     0 ?        S<   11:58   0:00 [rdma_cm]
root        832  0.0  0.0      0     0 ?        S<   11:58   0:00 [ext4-rsv-conver]
systemd+    865  0.0  0.1 100328  2528 ?        Ssl  11:58   0:00 /lib/systemd/systemd-timesyncd
root       1094  0.0  0.1  29012  2960 ?        Ss   11:58   0:00 /usr/sbin/cron -f
root       1097  0.0  0.0   4404  1320 ?        Ss   11:58   0:00 /usr/sbin/acpid
root       1100  0.0  0.4 185616  9764 ?        Ssl  11:58   0:01 /usr/bin/vmtoolsd
root       1106  0.0  1.0 201616 20936 ?        Ssl  11:58   0:00 /usr/lib/snapd/snapd
root       1107  0.0  0.1  28552  3132 ?        Ss   11:58   0:00 /lib/systemd/systemd-logind
root       1114  0.0  0.4 275876  8328 ?        Ssl  11:58   0:00 /usr/lib/accountsservice/accounts-daemon
syslog     1119  0.0  0.1 256400  3292 ?        Ssl  11:58   0:00 /usr/sbin/rsyslogd -n
root       1126  0.1  0.2 613468  5840 ?        Ssl  11:58   0:02 /usr/bin/lxcfs /var/lib/lxcfs/
message+   1127  0.0  0.1  42904  3724 ?        Ss   11:58   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
daemon     1152  0.0  0.1  26048  2176 ?        Ss   11:58   0:00 /usr/sbin/atd -f
notch      1165  0.0  0.1  27192  2748 ?        Ss   11:58   0:00 screen -dmS blockycraft java -Xms500M -Xmx500M -jar ./sponge.jar nogui
root       1175  0.0  0.3 277184  6140 ?        Ssl  11:58   0:00 /usr/lib/policykit-1/polkitd --no-debug
notch      1193  8.8 29.1 2495664 591744 pts/0  Ssl+ 11:58   1:54 java -Xms500M -Xmx500M -jar ./sponge.jar nogui
root       1194  0.0  0.0  13380   168 ?        Ss   11:58   0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root       1312  0.0  0.2  65524  5256 ?        Ss   11:58   0:00 /usr/sbin/sshd -D
root       1341  0.0  1.4 286020 28700 ?        Ss   11:58   0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
root       1363  0.0  0.0   5228   160 ?        Ss   11:58   0:00 /sbin/iscsid
root       1364  0.0  0.1   5728  3524 ?        S<Ls 11:58   0:00 /sbin/iscsid
mysql      1401  0.0  7.7 1116064 157948 ?      Ssl  11:58   0:00 /usr/sbin/mysqld
root       1431  0.0  0.0  15944  1860 tty1     Ss+  11:58   0:00 /sbin/agetty --noclear tty1 linux
www-data   1464  0.0  0.3 286020  7272 ?        S    11:58   0:00 php-fpm: pool www
www-data   1465  0.0  0.3 286020  7272 ?        S    11:58   0:00 php-fpm: pool www
proftpd    1466  0.0  0.1 119644  3560 ?        Ss   11:58   0:00 proftpd: (accepting connections)
root       1520  0.0  1.4 325600 28896 ?        Ss   11:58   0:00 /usr/sbin/apache2 -k start
www-data   1523  0.0  0.4 325624  8736 ?        S    11:58   0:00 /usr/sbin/apache2 -k start
www-data   1524  0.0  0.4 325624  8736 ?        S    11:58   0:00 /usr/sbin/apache2 -k start
www-data   1525  0.0  0.4 325624  8736 ?        S    11:58   0:00 /usr/sbin/apache2 -k start
www-data   1526  0.0  0.4 325624  8736 ?        S    11:58   0:00 /usr/sbin/apache2 -k start
www-data   1527  0.0  0.4 325624  8736 ?        S    11:58   0:00 /usr/sbin/apache2 -k start
root       1595  0.0  0.3  95408  6992 ?        Ss   11:59   0:00 sshd: notch [priv]
notch      1597  0.0  0.2  45368  4540 ?        Ss   11:59   0:00 /lib/systemd/systemd --user
notch      1599  0.0  0.0  61280  2008 ?        S    11:59   0:00 (sd-pam)
notch      1674  0.0  0.2  95608  4268 ?        S    11:59   0:00 sshd: notch@pts/1
notch      1675  0.0  0.2  22584  5340 pts/1    Ss   11:59   0:00 -bash
root       1784  0.0  0.0      0     0 ?        S    12:09   0:00 [kworker/0:0]
root       1786  0.0  0.0      0     0 ?        S    12:09   0:00 [kworker/u256:0]
notch      1816  0.0  0.1  37368  3340 pts/1    R+   12:20   0:00 ps -aux

Here we can see a few interesting things:

  1. notch 1165 0.0 0.1 27192 2748 ? Ss 11:58 0:00 screen -dmS blockycraft java -Xms500M -Xmx500M -jar ./sponge.jar nogui

  2. notch 1193 8.8 29.1 2495664 591744 pts/0 Ssl+ 11:58 1:54 java -Xms500M -Xmx500M -jar ./sponge.jar nogui

  3. proftpd 1466 0.0 0.1 119644 3560 ? Ss 11:58 0:00 proftpd: (accepting connections)

  4. www-data 1523 0.0 0.4 325624 8736 ? S 11:58 0:00 /usr/sbin/apache2 -k start

  5. mysql 1401 0.0 7.7 1116064 157948 ? Ssl 11:58 0:00 /usr/sbin/mysqld

The first two processes are the result of the cron job we found for Notch. We already saw ProFTPD was listening on port 21 in our Exploration step. Here we can see the running process which is owned by user proftpd. It is best practice to run network processes as a dedicated user to decrease the attack surface[3], so this is configured correctly. Same with the Apache and MySQL processes.

Now we’ve identified the running processes, let’s see if there are interesting open ports that we haven’t seen yet.

Enumerating open ports

To check for open ports, you can run the following command:

notch@Blocky:~/minecraft$ netstat -antup
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0    604 10.10.10.37:22          10.10.14.7:49472        ESTABLISHED -
tcp        0      0 10.10.10.37:22          10.10.14.7:54162        ESTABLISHED -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::21                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

We can see that there’s a running MySQL instance listening on localhost on port 3306, which isn’t accessible remotely. Also, we can see there are active SSH sessions from my machine. Nothing interesting though.

Next up, let’s check our OS and kernel versions.

Enumerating OS and kernel versions

To check the OS version:

notch@Blocky:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:        16.04
Codename:       xenial

To check the kernel version:

notch@Blocky:~$ uname -a
Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Now the question is: what can we do with this information? Like we did with the network services; checking for known vulnerabilities. Interesting categories are for example Remote Code Execution and of course Privilege Escalation.

Known vulnerabilities for Linux kernel 4.4.0[4]:

CVE Details
Figure 1. Vulnerabilities for Linux kernel 4.4.0

If we broaden the scope even more by searching for Ubuntu 16.04.2, we see even more vulnerabilities. The page lists a total of 1132(!) vulnerabilities, although most of these vulnerabilities will probably be solved in one of the patch releases since we’re on 16.04.2 (and the page lists 16.04).

Last, but not least, let’s check our privileges.

Enumerating privileges

With *nix, one of the things you always need to check are the sudo rights. You can do so with the following command:

notch@Blocky:~/minecraft$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

If a hacker sees the output above, he/she would be very happy. This means we can use sudo to run any command as root.

Looking back at our results when enumerating the files, we already saw two hints towards the sudo usage. We saw the file .sudo_as_admin_successful, and the root file .mysql_history. This is the first thing I would try in our next step: Privilege Escalation.

Summarizing

We’ve gone through just the basics of enumeration, but even now we’ve seen a lot of information already. This is the reason why it’s so important to write everything down in a structured way and to store the results of all your commands. If you write everything down, it’s a lot easier to search across your results. When you forget the password for user X for example, you can simply search in your notes instead of exploiting the same vulnerability again. An even bigger advantage is you’re building a manual for yourself on how to go through certain services to find the needle in the haystack. This has helped me a lot when going through the boxes in Hack The Box.

Now, let’s summarize what we’ve seen thus far which might be interesting for our next step:

  • A Minecraft server is started on every reboot in a screen session under user notch, which is a Java application

  • User Notch has used sudo before, and might’ve started a MySQL CLI session as root with it

  • A MySQL server is listening on port 3306 on localhost, which is running as user mysql

  • There might be some vulnerabilities in the OS or kernel that we can use

  • We can execute any command as any user with sudo

What’s next

This was the step on Enumeration. The next step is Privilege Escalation, in which we use the information gathered from all previous steps to try to gain root access. This however is good for another blog post!

See you next time?


1. Privilege Escalation is gaining access to a higher privileged user. In our case this is root for *nix, and Administrator for Windows.
2. For more information about wildcard injection, read this article
3. A term for the sum of the different points (attack vectors) where an unauthorized user (attacker) can try to enter data to or extract data from an environment. Source: https://en.wikipedia.org/wiki/Attack_surface
4. According to cvedetails.com
shadow-left