Notes

BASICS

Users

Check users

cat /etc/passwd
  • Any suspicious usernames?
  • Shells?
  • Groups?

Delete user

deluser <username>
  • removing entry in /etc/passwd works also but files persist n junk

Check sudoers

cat /etc/sudoers
  • Least privilege sudoers membership

Check sudo group membership

getent group sudo
cat /etc/group
  • sudo group membership is often secondary, so its not directly displayed in /etc/passwd

Remove User From sudo Group

sudo deluser <username> sudo
 gpasswd -d <username> sudo

Change User Password

passwd <username>
  • ALWAYS rotate passwords
  • Make sure high privilege users are rotated
  • You should really script this

Processes

list running processes with ps

# good
ps aux <-- list all proc by username, remove tty restriction
# better
ps -ef <-- aggressive listing + full format (combine options)
# best
ps -ef --forest <-- also shows process tree
  • What user is running the process?
  • What commandline is spawning it?
  • File location? Nice oneliner
ps ef --forest | grep -E "nc|netcat|bash -i|/bin/sh|python|perl|ruby|wget|curl|bash"

Kill processes

kill -9 <PID> <-- force kill process
pkill proc_name <-- kill process by name

Example - Python revshell 

pkill python3

Network

List active network connections

netstat -tulpn # check for listening sockets
netstat -tupn | grep ESTABLISHED # check for established conns
ss -tulnp # basically same but always installed
ss -tunp state established
  • Look for things like nc, netcat, bash -i, /bin/sh, python, perl, ruby, wget, curl, bash
  • https://www.revshells.com/
  • Look for 1. non reserved ports (0-1024) 2. overly common ports with obscure programs (python on 443/80 or similar)

Whats wrong here? 

sudo tcpdump -i any
  • Can be VERY powerfull but also very verbose
  • Combine with grep to filter for known indicators
sudo tcpdump -i any | grep fagan

Persistence Hunting

shell profiles ?

Bash profiles are executed upon shell init. Everytime a system boots, system-wide profiles are executed. When a user spawns a shell, user specific shell profiles are loaded. These are essentially lists of commands for the bash program to evaluate.

  • /etc/profile defines system-wide variables and startup programs
  • If it exists, it is executed after /etc/profile . If this file does not exist, Bash will look for ~/.bash_login
  • ~/.bash_login: If ~/.bash_profile does not exist, this file is executed. It is also for login shells.
  • ~/.profile: If neither ~/.bash_profile nor ~/.bash_login exists, this file is executed. It is a more generic profile file that can be used by other shells as well.
  • ~/,bashrc: defines user-level profile config (most common)
cat /etc/profile
cat ~/.bash_login
cat ~/.profile
cat ~/.bashrc
  • Look for suspicious commands, IP addresses, reverse shells, other potential persistence mechanisms in these files

Cron ?

Cron is used to schedule & execute tasks. Tasks can be timed or scheduled to execute at a variety of system events (like on reboot)

Cron jobs can be defined in several locations User Cron

crontab -e # edit your users cron entries
crontab -l # list your users cron jobs
crontab -u <username> -l # list another users cron entries

System Cron

cat /etc/crontab

Cron directory

/etc/cron.d

Interval directories

/etc/cron.daily/
/etc/cron.hourly
/etc/cron.monthly/

systemd ?

Systemd is a system and service manager for Linux operating systems, designed to provide a more efficient and standardized way to manage system processes, services, and resources. services are executed based on a definition file.

[Unit]
Description=The DigitalOcean Droplet Agent
After=network-online.target
Wants=network-online.target

[Service]
User=root
Environment=TERM=xterm-256color
ExecStart=/opt/digitalocean/bin/droplet-agent
Restart=always
RestartSec=10
TimeoutStopSec=90
KillMode=process

OOMScoreAdjust=-900
SyslogIdentifier=DropletAgent

[Install]
WantedBy=multi-user.target

How do we interact with systemd?

SYSTEMCTL

List units

systemctl list-units

Get unit status

systemctl status <whatetver>.service

See somehting suspicious? Check the unit file

cat /etc/systemd/system/<whatever>.service

Look at systemwide logs

journalctl -xe

SSH

Check if any unauthorized keys are in authorized_keys

cat ~/.ssh/authorized_keys

Delete them!

Tools

htop

sudo apt install htop

pspy

wget <https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64>
chmod +x ./pspy64
./pspy64

Panix.sh

https://github.com/Aegrah/PANIX