2. Misconfigurations

Password Reuse

su -u root
Password : *********
  

SUDO

$ sudo -l 

User [Username] may run the following commands on [Machine Name]:
    (root) NOPASSWD: /home/user/personal/stuff/AnyScript.sh

# How to read this ?? 
# the current user `Username` can run the command `/home/Username/personal/stuff/AnyScript.sh` as a `root` without password

$ sudo -u root /home/user/personal/stuff/AnyScript.sh

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

User [Username] may run the following commands on [Machine Name]:
    (Username2) NOPASSWD: /home/Username2/luvit
    
# the current user `Username` can run the command `/home/Username2/luvit` as a `Username2` without password

$ sudo -u Username2 /home/Username2/luvit privesc.lua    # some times the command needs args to work ^^ 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

User [Username] may run the following commands on [Machine Name]:
    (Username2 : Username2) NOPASSWD: ALL

# the current user `Username` can run `ANY` command as a `Username2` OR it's group without password

$ sudo -u Username2 /bin/bash

Suid and Guid

Passwords Cracking-Mining

Note

Logs / Memory / History / Configuration files !!

EX : search deeper inside /var/www

Note

if i found multiple folders inside it ?? ==> this could indecte that the server is running multiple web apps !!!

# cd /var 
$ grep -roP 'passw.{0,30}' 2>/dev/null

$ grep -rP 'passw.{0,10}' -B5 -A5 --exclude '*.min.js' 2>/dev/null
$ grep -rP 'passw.{0,10}' -B5 -A5 --exclude '*.js' 2>/dev/null

# TRY : 
$ grep -rP 'Web.{0,10}' -B5 -A5 2>/dev/null | awk 'length >= 1 && length <= 2000' | grep --color -P "Web|"
  

Note

grep will filter the files in each (non linked) folder recursivly.

EX : Use LinEnum.sh

$ ./LinEnum.sh -t -k password
  