weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

first whack at nav reorg

Browse Source
This commit is contained in:
Rob Fuller
2013-12-26 13:08:13 -05:00
parent 68644fefb7
commit be072ead31
45 changed files with 110 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
presence/linux/blind.md Normal file
View File

@@ -0,0 +1,29 @@
# Linux Blind Files
In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
The files below are things to pull when all you can do is to blindly read. Examples of vulnerabilities or situations where this would be helpful might be: local file includes (LFI), directory traversals or remote file share instances like SMB, FTP, NFS or otherwise.
| File | Description / Importance |
| -------- | ------------------------ |
| `/etc/issue` | A message or system identification to be printed before the login prompt. |
| `/etc/motd` | Message of the day banner content. Can contain information about the system owners or use of the system. |
| `/etc/passwd` | List of account names, groups, home directory, and shell (should be globally readable). May also contain password hashes. |
| `/etc/group` | User groups. |
| `/etc/resolv.conf` | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than `/etc/passwd`. |
| `/etc/shadow` | List of all shadowed user's password hashes (usually requires root privileges). |
| `/home/[USERNAME]/.bash_history`<br>`~/.bash_history`<br>`$USER/.bash_history`<br>`/root/.bash_history` | Shell (bash) history for [USERNAME], the current user or root respectively. This file can contain passwords and other sensitive commands and content. It's worth trying .profile instead of .bash_history in case the user doesn't use bash |
# Information discovery through blind files
When using blind files, it is often possible to mine known files for other paths or configuration. This can disclose what services are running, how they are configured and more. The following is some files that are worth looking at.
| File | Description / Importance |
| -------- | ------------------------ |
| `/etc/mtab` | Reveals mount points. |
| `/etc/inetd.conf` | Configuration file for inetd based services, mostly deprecated these days. |
| ... | ... |
# More files
It is worth automating the extraction of files, either using a dictionary attack or even bruteforce to discover unknown files.
A list of file paths to try can be found [here](pillage.lst).

116
presence/linux/find_files.md Normal file
View File

@@ -0,0 +1,116 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Linux finding files commands
Commands that finds files on the file system are usually executed from within a shell (sh/bash) or through a forking function such as system() or exec().
## ls
### Attributes showing
* **Command with arguments**: `ls -l [directory or filename]`
* **Description**: Displays attributes of files and directories in the specified location
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ ls -l /
total 429820
drwxr-xr-x 2 root root 4096 2013-08-23 02:49 bin
drwxr-xr-x 3 root root 4096 2013-08-23 03:18 boot
drwxr-xr-x 2 root root 4096 2011-03-05 11:41 cdrom
drwxr-xr-x 15 root root 4600 2013-11-25 15:43 dev
drwxr-xr-x 158 root root 12288 2013-12-04 15:54 etc
drwxr-xr-x 4 root root 4096 2013-05-02 07:19 home
lrwxrwxrwx 1 root root 21 2012-03-01 08:11 initrd.img -> boot/initrd.img-3.2.6
drwxr-xr-x 25 root root 16384 2013-08-23 02:50 lib
drwx------ 2 root root 16384 2011-03-05 11:40 lost+found
drwxr-xr-x 4 root root 4096 2013-08-04 22:31 media
drwxr-xr-x 3 root root 4096 2012-03-04 19:14 mnt
-rw-r--r-- 1 root root 1045 2012-08-13 23:52 nis
drwxr-xr-x 12 root root 4096 2013-08-23 03:02 opt
drwxr-xr-x 25 root root 4096 2013-08-23 02:54 pentest
dr-xr-xr-x 148 root root 0 2013-11-25 15:36 proc
drwx------ 77 root root 4096 2013-12-04 15:58 root
-rw-r--r-- 1 root root 440006761 2012-10-01 00:09 root.tgz
drwxr-xr-x 2 root root 12288 2013-08-23 02:51 sbin
drwxr-xr-x 2 root root 4096 2009-12-05 16:55 selinux
drwxr-xr-x 4 root root 4096 2011-05-10 03:42 share
drwxr-xr-x 4 root root 4096 2013-04-17 21:25 srv
drwxr-xr-x 12 root root 0 2013-11-25 15:36 sys
drwxrwxrwt 12 root root 4096 2013-12-04 01:00 tmp
drwxr-xr-x 13 root root 4096 2013-08-23 02:52 usr
drwxr-xr-x 16 root root 4096 2011-06-08 09:16 var
lrwxrwxrwx 1 root root 18 2012-03-01 08:11 vmlinuz -> boot/vmlinuz-3.2.6
</code></div>
----
## find
### Search by name
* **Command with arguments**: `find /etc -name "issue*"`
* **Description**: Locates files matching the name (wildcards supported)
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find /etc -name "issue*"
/etc/issue.net
/etc/issue
/etc/issue.dpkg-dist
</code></div>
### Search by permissions
* **Command with arguments**: `find / -perm 777`
* **Description**: Locates files matching the permissions
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find / -perm 777
/initrd.img
/pentest/exploits/isr-evilgrade/include/sunjava/JavaPayload/FunnyClass2.jar
/pentest/exploits/isr-evilgrade/agent/java/javaws.exe
/pentest/exploits/isr-evilgrade/trash
/pentest/passwords/hashcat-gui/hashcat
/pentest/passwords/hashcat-gui/oclHashcat-plus
/pentest/passwords/hashcat-gui/oclHashcat-lite
/pentest/passwords/john/undrop
--snip--
</code></div>
### Search by username
* **Command with arguments**: `find / -user root`
* **Description**: Locates files owned by the user "root"
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find / -user root
/
/initrd.img
/pentest
/pentest/sniffers
/pentest/sniffers/dnschef
/pentest/sniffers/dnschef/dnschef.exe
/pentest/sniffers/dnschef/dnschef.ini
/pentest/sniffers/dnschef/dnslib
/pentest/sniffers/dnschef/dnslib/dns.py
/pentest/sniffers/dnschef/dnslib/__init__.py
--snip--
</code></div>
----
## locate
* **Command with arguments**: `locate ifconfig`
* **Description**: Look files up in the location database
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ locate ifconfig
/pentest/forensics/volatility/volatility/plugins/linux/ifconfig.py
/pentest/forensics/volatility/volatility/plugins/linux/ifconfig.pyc
/sbin/ifconfig
/usr/share/man/de/man8/ifconfig.8.gz
/usr/share/man/fr/man8/ifconfig.8.gz
/usr/share/man/man8/ifconfig.8.gz
/usr/share/man/pt_BR/man8/ifconfig.8.gz
</code></div>

0
presence/linux/index.md Normal file
View File

191
presence/linux/pillage.lst Normal file
View File

@@ -0,0 +1,191 @@
/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf
/etc/crontab
/etc/crypttab
/etc/debian_version
/etc/exports
/etc/fedora-release
/etc/fstab
/etc/ftphosts
/etc/ftpusers
/etc/group
/etc/group-
/etc/hosts
/etc/http/conf/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/http/httpd.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/issue.net
/etc/lighttpd.conf
/etc/login.defs
/etc/mandrake-release
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/mysql/my.cnf
/etc/openldap/ldap.conf
/etc/os-release
/etc/pam.conf
/etc/passwd
/etc/passwd-
/etc/password.master
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/cgi/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/profile
/etc/proftp.conf
/etc/proftpd/modules.conf
/etc/protpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/security/environ
/etc/security/group
/etc/security/limits
/etc/security/passwd
/etc/security/user
/etc/shadow
/etc/shadow-
/etc/slackware-release
/etc/sudoers
/etc/SUSE-release
/etc/sysctl.conf
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/access.log
/logs/error.log
/opt/apache2/conf/httpd.conf
/opt/apache/conf/httpd.conf
/opt/xampp/etc/php.ini
/php4\php.ini
/php5\php.ini
/php\php.ini
/PHP\php.ini
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/root/.bash_history
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/known_hosts
/tmp/access.log
/usr/apache2/conf/httpd.conf
/usr/apache/conf/httpd.conf
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/lib/security/mkuser.default
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error.log
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/httpd.conf
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error. og
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/httpd/conf/httpd.conf
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/Zend/etc/php.ini
/usr/pkgsrc/net/pureftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/sbin/pure-config.pl
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/local/www/conf/php.ini
/var/log/access_log
/var/log/access.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/error_log
/var/log/error.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/messages
/var/log/messages.1
/var/log/user.log
/var/log/user.log.1
/var/www/conf/httpd.conf
/var/www/html/index.html
/var/www/logs/access_log
/var/www/logs/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/web/conf/php.ini