CTF Technique - HackMD

# CTF Technique # Defense ## Common - Find sensitivefile - locate password | more find / -name authorized_keys 2> /dev/null find / -name id_rsa 2> /dev/null - Find writeable files find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null find / -perm -2 -type f 2>/dev/null find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null - Check all process to find uncommon process (note it as potential vuln app) ps -ef --forest - Check all port to find uncommon service (note it as potential vuln app) netstat -a -p --unix - Check privilege file and set least privilege - /etc/passwd - /etc/shadow - /etc/sudoers - /run/docker.sock (check docker) - env: SSH_AUTH_SOCK sudo -l - Find all SUID & GUID file # Find find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; find / -uid 0 -perm -4000 -type f 2>/dev/null # Fix sudo chmod -s /tmp/x - Cron - /etc/init.d - /etc/cron* - /etc/crontab - /etc/cron.allow - /etc/cron.d - /etc/cron.deny - /etc/cron.daily - /etc/cron.hourly - /etc/cron.monthly - /etc/cron.weekly - /etc/sudoers - /etc/exports - /etc/anacrontab - /var/spool/cron - /var/spool/cron/crontabs/root - crontab -l - ls -alh /var/spool/cron; - ls -al /etc/ | grep cron - ls -al /etc/cron* - cat /etc/cron* - cat /etc/at.allow - cat /etc/at.deny - cat /etc/cron.allow - cat /etc/cron.deny* - Systemd timers systemctl list-timers --all - Linux Cap Capabilities name Description CAP_AUDIT_CONTROL Allow to enable/disable kernel auditing CAP_AUDIT_WRITE Helps to write records to kernel auditing log CAP_BLOCK_SUSPEND This feature can block system suspends CAP_CHOWN Allow user to make arbitrary change to files UIDs and GIDs CAP_DAC_OVERRIDE This helps to bypass file read, write and execute permission checks CAP_DAC_READ_SEARCH This only bypass file and directory read/execute permission checks CAP_FOWNER This enables to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file CAP_KILL Allow the sending of signals to processes belonging to others CAP_SETGID Allow changing of the GID CAP_SETUID Allow changing of the UID CAP_SETPCAP Helps to transferring and removal of current set to any PID CAP_IPC_LOCK This helps to lock memory CAP_MAC_ADMIN Allow MAC configuration or state changes CAP_NET_RAW Use RAW and PACKET sockets CAP_NET_BIND_SERVICE SERVICE Bind a socket to internet domain privileged ports # Find /usr/bin/getcap -r /usr/bin # Fix /usr/bin/setcap -r /bin/ping - Hide command output (after finishing hardening) exec >/dev/null