Hi all.

While I have in the past been focused on Windows exploitation (and a beginner with that) I find myself having to expand my horizons (CPT). In keeping in line with my training, I need to enumerate information on the machine (vm) that I want to attack. Unfortunately I have little ideas where to start. The book I have access to at the moment seems fixed on Windows enumeration, and google has not been much better. I see results on Linux NIC enumeration.

Steps taken so far:
Scanned my network and found a "victim".
Scanned the host and performed port, OS and version detection.
"banner grabbing", connecting to the services with netcat.

at this point there is a gap in my knowledge. I know that eventually I will need to crack passwords and eventually gain access to the system, but I do know that if I want to gain access through one of the open services, I will need to enumerate the users and possibly other information on the machine. Can anyone point me in the right direction? My main purpose at this point is to learn how to attack linux rather than the actual exploitation of this machine.

SephStorm, it's all about getting as much information as you can.

Sometimes there is an available privilege escalation exploit, other times you have to really stalk it.

What I tend to do is have a look at all of the processes, see what is running with more privileges than me and if there are any ways of interacting with that service to get code execution.

Offensive Security's Pentesting With Backtrack is a great course that gets you really thinking about all of this, finding out this for every piece of software and configuration file takes a long time and you get really desperate, and all you get is 'Try Harder!'

I would recommend the course if you really like a challenge and the skills you learn alone are worth the price of the course

~TheXero

@ TheXero Thank you for the reply, and nice Avatar BTW

I completely understand where you are coming from. My issue is that well, quite simply, I am on new ground here, and the training and material I have available is insufficient to give me the needed guidance.

I found an exploit that I wanted to use (and indeed, later I found out it would work) but I have no idea how to deliver it to the host. All of my experience is with either metasploit's preloaded delivery system, or literally being togged into the system with GUI access, and I can for instance, download the code from the internet and run it.

As for PWB, I think I am a little far from that at this point. I am slowly coming to realize that I like to be walked down the path a few times before I explore the area. I am looking at taking a step back, maybe looking at THA or HD that were reviewed here recently. If not, it may be a case of looking for a mentor when I get back to the states, or dropping the cash for a live course.

@ hell_razor Thank you, I had seen mention of these techniques in Hacking exposed, and my course material. unfortunately the information is lacking. The find command is given, but no explanation of the options (a google search gave some information about the command, but i dont understand for example:

find / -perm +4000 -user root -type f -print
In this string I don't know what -perm or +4000 (-2000) are, and again, how would I get the code to the target?

I'm going to reinvestigate the SUID vulnerabilities. By executing the FIND string above, I was able to find several processes running as root, but I need to look for exploits, and see how they are exploited. I'll report back.

@cd1zz, completely right. I was thinking along those lines, but I am just beginning with compiling code and whatnot on linux.

The box did not have gcc installed, so I ended up compiling the code for my chosen exploit on my linux pc(vm). Unfortunately there were some errors, and while one was simple to figure out (adding a return line at the end of the code), the other requires me to know something about programming. 

I also downloaded other exploits and attempted to run them as well. all of them either didn't compile correctly or didnt work, or in the case of one, caused a DOS.  That was a learning experience.

at this point i'm not sure where i'm going from here. today is my last of two days off, I have several options available to me. I may step back and start really getting to know linux, and perhaps get an intro to programing (Start with BASIC?). I've also received some feedback suggesting that perhaps I try some more vulnerable vms, perhaps I should start there and work my way up. Thoughts?

I'm looking at this one: http://www.exploit-db.com/exploits/778/

http://www.exploit-db.com/exploits/778/

My attempt:
gcc 778.c -o exploit
778.c: In function `check_vma_flags':
778.c:569: error: label at end of compound statement

based on my research, the label at end of compound statement error could be because of a missing semicolon, or a character that should be a semicolon.

UPDATE: while looking into the cause of the check_vma_flags error, I found a version of the exploit that does appear to compile correctly... and oh shit it works..  (after a few tries)
http://isec.pl/vulnerabilities/isec-0021-uselib.txt

I don't know what to say...

Good job, SephStorm!  Now keep on going...  :-p

Sometimes exploit writers will sabotage the exploit code in such a way that people with skill can debug and fix (maybe a missing semicolon or misuse of quotes or mistyped variable, etc.) and script kiddies can't figure out. You will learn to find the errors. Also, exploits don't get the same level of QC as mainstream software so go ahead and lower your expectations for stable code. You may get lucky, or not. I wind up having to fix others broken code as often as not (when I can figure it out)

It's really hard to say why you were having issues. I would have started with appending a semicolon to the end of line 568 since the error is indicative of the compiler expecting a statement after the label (out:) and a semicolon classifies as a statement. I have not debugged this code beyond a brief cursory glance and a Google search so that's just a start. I'll also disclaim that I'm a complete novice as a programmer.

SephStorm, my favourite way of getting root is

or simply pwning as service that runs as root