On Server Reconnaissance.

Last week we looked at Privilege Escalation, and introduced some of the more common ways of gaining higher privileges on a Linux system.

This week we are going back to reconnaissance, and looking at how we can identify potential routes for priv-esc.

We will look at enumerating the programs on a system, and identifying potential issues. We will also look at some scripts that can be useful for the privesc process.

Note

We did something different this time around.
And came up with a strategy together, during the Lab Session

Here are some overview notes.

Videos of Lab Sessions.

• AM Session
• PM Session

Overview of the Process

Unfortunately, this process is pretty difficult to teach (and even harder to write about without it becoming a list of commands). Its also really hard to cover comprehensively, as things keep changing. So I will cover the basics and let you play with it in the labs.. Treat the materials as a starting point, and keep adding to it in your notes / QRC / Cheat sheet.

However, regardless of the system, we can apply a reasonable simple process.

1. Identify where we currently are:
   • What is our current user
   • What can we run
2. Where do we want to be.
   • Out of the commands we have available, is there anything that will help us move towards our goal.
   • This may not be a direct jump to root, we may have to go through an intermediate user (or users)

Server Enumeration

Once we have our initial access to a remote system we will need to start the recon process again.

This time we will start to gather more information on the system itself, the programs installed on it, and any interesting permissions settings that might give us scope for exploitation. As with our initial reconnaissance, this can be a time consuming (and somewhat boring) process, but the information we gather here is vital to helping us understand potential security flaws an attacker might use.

Server Recon in a CTF

We would take a slightly different approach in a CTF, to during a pentest.

In a CTF we know that an weakness exists, and our aim is to find the easiest path to exploitation. While this can mean we thrutch around looking for some obsure issue to work with, once we find the vulnerablity our work is done.

During a pentest we would be more through, our job is usually to secure the server against any issues that might be there. This means we need to complete the recon to identify all possible vulns.

HackTricks and other recourses

Like the OWASP testing guide¹ for web applications.
Hack Tricks can help as a cheatsheet for server side exploitation.

Unortunately, the Uni content filter blocks it². But you can view the Markdown sources using its GitHub repository

The Recon Process

Broadly speaking, the server recon process covers three stages:

• The OS Itself: Looking for known issues in the OS itself, and the core services it runs.
• Software Installed: Identifying, and auditing, software that has been installed.
• Configuration Issues: Security misconfigurations in the software that is installed.

At each stage we can then check the information on the systems we have identified, and cross reference against databases of known issues.

---

1. The OWASP testing guide is an excellent checklist of things to look for, and also gives specifics on common applications and misconfigurations. ↩

2. I am working on that... ↩