Pentesting 101: The Weakest Link

You’ve run your Nmap scan and you found the open web port. From the open web port, you’ve worked your way into the system and you have a low privilege shell. Now what?

The enumeration process starts all over again.

There are more than a few privilege escalation scripts as well as written documents that will aid in this process but only if you’re familiar with the operating system. If you’re hunting for that needle in the haystack but you don’t know what a needle looks like, how will you find it?  Recognizing that needle will come with time and I’m not trying to say you shouldn’t use those scripts.  Do use them but realize it could be overwhelming until you’re a bit more seasoned.

For the 101 series, let’s focus on something a little more obvious.  People are the weakest link in this chain and we are predictable to a fault. You don’t need to understand Windows, Linux, or Mac OS extensively, you just need a few tools to hunt for the trail of human errors.

Let me ask you this -- have you ever used the same password for two separate logins?  I’ll go out on a limb here and say the answer is yes. Let’s take that thread and pull on it for a bit.

How did you end up with your low privilege shell?  Did you uncover credentials?  Try to use those same credentials elsewhere.  As a low privileged user, we can’t read the /etc/shadow file which contains password hashes because we don’t have the appropriate permissions but we can read /etc/passwd which contains user accounts.





Make a file with a list of all of the users you’ve uncovered and another file with a list of all of the passwords you’ve uncovered. If you brute force, try every password with every username.

Maybe you only have one username and password and nowhere to go. Or maybe you don’t even have that and you ended up on the system through some other avenue. If the system you’ve compromised is a web server, is it running a database server?  Can you find database credentials?

WordPress stores its credentials in wp-conifg.php 





and Joomla stores its credentials in configuration.php






– the location of these files will vary but typically, you’ll find them under: /var/www/html/

If I’m familiar with the system I’ve compromised, a WordPress site for example, I’ll go straight to wp-config.php, retrieve the credentials and use those credentials to login to MySQL.  From there, I will list all of the databases...





...and hunt through each database...






...for more credentials or more hashes to crack.






If I’m not familiar with the system, I’ll use a broader approach because I won’t know where to find database credentials or if I’ll find them at all.  The Linux grep command is used to search for text. We can use grep directly or we can pipe to grep for matches.  When dealing with an unknown environment, I might do something like:





I'm using grep to search recursively, while ignoring the case, and I'm asking it to return file matches for files that contain my search pattern.  In this case, my search pattern is "password".  My current location in the file system is /var/www and I could have spelled that out but it's less characters doing it the way I did above.  

With a low privilege shell, moving forward could take form in any number of ways but at a very basic level, realize we’re dealing with humans.  What do humans do?  Humans: use weak passwords, reuse passwords, store passwords in their profile folders, and humans email passwords back and forth.  In order to move forward, maybe we can brute force, credential stuff, hunt through profile folders, or hunt through emails.