9 Linux or UNIX post-exploitation

 

This chapter covers

  • Harvesting credentials from .dot files
  • Tunneling through SSH connections
  • Automating SSH pubkey authentication with bash
  • Scheduling a reverse callback using cron
  • Escalating privileges with SUID binaries

In the last chapter, we discussed the three main components of Windows post-exploitation, which you will recall are the following:

  • Maintaining reliable re-entry
  • Harvesting credentials
  • Moving laterally

These are the same for Linux- or UNIX-based systems; the only difference is the techniques used to do them. A strong pentester is OS-agnostic. It doesn’t matter if you’re on a Windows machine, FreeBSD UNIX, CentOS Linux, or macOS. You should know enough about where to find credentials, how to establish reliable re-entry, and how to move laterally to succeed during any engagement. In this chapter, you will learn several post-exploitation techniques for penetrating further into Linux or UNIX environments. Let’s begin by quickly reviewing the three primary components (figure 9.1) of post-exploitation and privilege escalation.

Figure 9.1 Post-exploitation goals and objectives

9.1 Maintaining reliable re-entry with cron jobs

9.1.1 Creating an SSH key pair

9.1.2 Enabling pubkey authentication

9.1.3 Tunneling through SSH

9.1.4 Automating an SSH tunnel with cron

9.2 Harvesting credentials

9.2.1 Harvesting credentials from bash history

9.2.2 Harvesting password hashes

9.3 Escalating privileges with SUID binaries

9.3.1 Locating SUID binaries with the find command