API tools faq
paste
Advertisement
shinobininja

local root linux

shinobininja
Sep 15th, 2016
1,087
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.05 KB | None | 0 0
raw download clone embed print report
  1. Map section is intended for quick orientation on this forum thread.
  2.  
  3. Rules for posting blog entries about the increase privileges (https://rdot.org/forum/showthread.php?t=2097)
  4. Questions to improve the privilege strictly subject. (Https://rdot.org/forum/showthread.php?t=712)
  5. FREEBSD:
  6.  
  7.  
  8. CVE-2013-2171 - Published: 2013-06-18 - FreeBSD 9.0-9.1 mmap / ptrace Privilege Esclation Exploit (http://www.exploit-db.com/exploits/26368/)
  9. CVE-2013-2171 - Published: 2013-06-18 - on rdot.org (https://rdot.org/forum/showthread.php?t=2775)
  10. ================================================== ==================================================
  11. CVE-2012-0217 - Published: 2012-07-03 - FreeBSD 8.3 - 9.0 amd64 privesc @ Intel CPUs (by overxor (c) Rdot.org) (https://rdot.org/forum/showthread.php?p= 26841 # post26841)
  12. CVE-2012-0217 - Published: 2012-07-08 - FreeBSD 8.3 - 9.0 amd64 privesc @ Intel CPUs (by iZsh) (https://rdot.org/forum/showpost.php?p=26917&postcount=17)
  13. ================================================== ==================================================
  14. CVE-2011-4862 - Published: 2011-12-26 - FreeBSD remote root in telnetd (http://www.exploit-db.com/exploits/18280/)
  15. CVE-2011-4862 - Published: 2011-12-26 - on rdot.org (https://rdot.org/forum/showthread.php?t=1907)
  16. $ Ps ax | grep telnetd | grep -v grep
  17. $ Grep telnetd /etc/inetd.conf | grep -vE '^ #')
  18.  
  19. If any output is produced, your system may be vulnerable
  20. ================================================== ==================================================
  21. CVE-2011-4062 - Published: 2011-12-20 - FreeBSD UIPC local root exploit (by overxor (c) Rdot.org) (https://rdot.org/forum/showthread.php?t=1895)
  22. ================================================== ==================================================
  23. CVE-2011-4122 - Published: 2011-12-23 - FreeBsd OpenPAM 'pam_start ()' Local Privilege Escalation Vulnerability (https://rdot.org/forum/showthread.php?t=1920)
  24. ls -la / usr / local / kde4 / lib / kde4 / libexec / kcheckpass
  25. locate kcheckpass
  26. which kcheckpass
  27. whereis kcheckpass
  28. ================================================== ==================================================
  29. CVE-2010-4210 - Published: 2010-10-04 - FreeBSD 'pseudofs' NULL Pointer Dereference Local Privilege Escalation Vulnerability (FreeBSD 7.0 - 7.2) (http://www.exploit-db.com/exploits/15206/)
  30. CVE-2010-2693 - Published: 2010-08-19 - FreeBSD mbufs () sendfile Cache Poisoning Privilege Escalation (http://www.exploit-db.com/exploits/14688/)
  31. CVE-2010-2693 - Published: 2010-08-19 - FreeBSD Kernel 7.x / 8.x mbuf M_RDONLY Privilege Escalation (http://jon.oberheide.org/files/cve-2010-2693.c)
  32. CVE-2010-2693 - Published: 2010-08-19 - on RDOT.ORG (https://rdot.org/forum/showthread.php?t=1413)
  33. CVE-2009-4146 - Published: 2009-11-30 - FreeBSD Run-Time Link-Editor Local r00t Zeroday (http://www.exploit-db.com/exploits/10255/)<===
  34. CVE-2009-3527 - Published: 2009-10-08 - FreeBSD 6.4 pipeclose () / knlist_cleardel () race condition exploit (http://www.exploit-db.com/exploits/9859/)
  35. Published: 2008-12-28 - FreeBSD 6x / 7 protosw kernel Local Privledge Escalation Exploit (http://www.exploit-db.com/exploits/7581/)
  36. CVE-2008-5736 - Published: 2008-12-23 - FreeBSD <= 6.4 Netgraph Local Privledge Escalation Exploit (http://www.exploit-db.com/exploits/16951/)
  37.  
  38.  
  39.  
  40. LINUX:
  41.  
  42.  
  43. System.map for servers (https://rdot.org/forum/showthread.php?t=3029)
  44.  
  45. A note about the task_struct in the kernel Linux <=== !!! (Https://rdot.org/forum/showthread.php?t=1451)
  46.  
  47. Starting from a Web exploits the example of "Linux Kernel 2.6.23 - 2.6.24 vmsplice" (https://rdot.org/forum/showthread.php?t=57)
  48.  
  49. CVE-2015-1328, Published: 2015-06-15
  50. ofs.c - overlayfs local root in ubuntu (12.04, 14.04, 14.10, 15.04) (https://rdot.org/forum/showthread.php?t=3459)
  51.  
  52. CVE-2015-3202 - Published: 2015-05-21
  53. CVE-2015-3202 Linux fusermount privilege escalation via LIBMOUNT_MTAB env (https://rdot.org/forum/showthread.php?t=3440)
  54.  
  55.  
  56. CVE-2015-1318 & CVE-2015-1862 - Published: 2015-04-14
  57. CVE-2015-1318 & CVE-2015-1862: The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr / share / apport / apport file in a namespace (container) (https://www.exploit-db.com/exploits/36746/)
  58.  
  59.  
  60. CVE: 2015-1815 - Published: 2015-03-30
  61. CVE: 2015-1815: The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name - Fedora21 setroubleshootd local root PoC (C) 2015 Sebastian Krahmer (https: // www.exploit-db.com/exploits/36564/)
  62.  
  63.  
  64. - Requires polkit authorization to add / mod VPN connections to NetworkManager (default on desktop user)
  65.  
  66.  
  67. CVE-2014-3153 - Published: 2014-06-05
  68. CVE-2014-3153: The futex_requeue function in kernel / futex.c in the Linux kernel from 3.0 to 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. (Https://rdot.org/forum/showthread.php?t=3153)
  69.  
  70. CVE-2014-3153 exploit for RHEL / CentOS 7.0.1406 (https://www.exploit-db.com/exploits/35370/)
  71.  
  72. CVE-2014-0476 - Published: 2014-06-04
  73. CVE-2014-0476 chkrootkit => local root privilege escalation with exploit (https://rdot.org/forum/showthread.php?t=3152)
  74.  
  75.  
  76. Restrictions: chkrootkit running from root (for example from CRON) and / tmp not mounted noexec
  77.  
  78.  
  79. CVE-2014-0038 - Published: 2014-31-01
  80. CVE-2014-0038 Local root> = 3.4 CONFIG_X86_X32 (x86_64) (https://rdot.org/forum/showthread.php?t=3015)
  81.  
  82.  
  83. $ Zgrep CONFIG_X86_X32 /proc/config.gz
  84. $ Zcat /proc/config.gz | grep CONFIG_X86_X32
  85. $ Cat / boot / config-`uname -r` | grep CONFIG_X86_X32
  86.  
  87.  
  88. Exim with Dovecot RCE (OSVDB-ID: 93004) - Published: 2013-06-05
  89. Exim sender_address Parameter - RCE Exploit (http://www.exploit-db.com/exploits/25970/)
  90. Forum topic (https://rdot.org/forum/showthread.php?t=3056)
  91.  
  92. CVE-2013-2094 - Published: 2013-05-14
  93. CVE-2013-2094 Linux 2.6.32 / 2.6.37 - 3.8.10 PERF_EVENTS local root (https://rdot.org/forum/showthread.php?t=2720)
  94.  
  95. exploit -> CVE-2013-2094 Linux 2.6.32 / 2.6.37 - 3.8.10 PERF_EVENTS local root - enlightenment (http://grsecurity.net/~spender/exploits/enlightenment.tgz)
  96.  
  97. exploit1 -> CVE-2013-2094 Linux 2.6.32 / 2.6.37 - 3.8.10 PERF_EVENTS local root - enlightenment without backconnect (c) Pashkela rdot.org (https://rdot.org/forum/showpost.php?p = 31974 & postcount = 51)
  98.  
  99. $ Grep -i PERF_EVENTS / boot / config - $ (uname -r)
  100. $ Zgrep -i PERF_EVENTS /proc/config.gz
  101.  
  102. CONFIG_HAVE_PERF_EVENTS = y
  103. CONFIG_PERF_EVENTS = y
  104. CONFIG_HAVE_PERF_EVENTS_NMI = y
  105.  
  106.  
  107. CVE-2013-1763 - Published: 2013-02-24
  108. CVE-2013-1763 Archlinux x86-64 3.3.x-3.7.x x86-64 sock_diag_handlers [] Local Root (c) sd (http://www.exploit-db.com/exploits/24555/)
  109. CVE-2013-1763 SOCK_DIAG netlink Linux kernel 3.3-3.8 exploit x86 (c) SynQ rdot.org (https://rdot.org/forum/showthread.php?t=2634)
  110. Ubuntu 12.10 x86 | Fedora 18 x86 - in the subject line.
  111.  
  112.  
  113. CVE-2013-0871 - Published: 2013-02-18
  114. CVE-2013-0871 linux kernel race condition with PTRACE_SETREGS exploit (http://lwn.net/Articles/538904/)
  115. forum topic (https://rdot.org/forum/showthread.php?p=30724)
  116.  
  117.  
  118. CVE-2012 -.........- Published: 2012-08-02
  119. CVE-2012 -.........- Published: 2012-08-02 - Nvidia Linux Driver Privilege Escalation (by Anonymous) (http://www.exploit-db.com/exploits/20201/)
  120. CVE-2012-3524 - Published: 2012-07-17
  121.  
  122. libdbus 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation (http://www.exploit-db.com/exploits/21323/)
  123. Forum topic (https://rdot.org/forum/showthread.php?t=2417)
  124. su auto vector (c) Pashkela (https://rdot.org/forum/showthread.php?p=30443#post30443#post30442)
  125.  
  126. CVE-2012-2982 - Published: 2012-07-10
  127.  
  128. RCE with root rights in Webmin <= 1.590 (https://rdot.org/forum/showthread.php?t=2428)
  129.  
  130. CVE-2012-0056 - Published: 2012-01-21
  131.  
  132. Mempodipper - Linux Local Root for> = 2.6.39, 32-bit and 64-bit / proc / pid / mem (https://rdot.org/forum/showthread.php?t=1951)
  133.  
  134. CVE-2011-4124 - Published: 2011-11-02
  135.  
  136. CVE-2011-4124 - Calibre E-Book Reader Local Root Exploit (calibre-mount-helper) # 1 (http://www.exploit-db.com/exploits/18064/)
  137. CVE-2011-4124 - Calibre E-Book Reader Local Root Exploit (calibre-mount-helper) # 2 (http://www.exploit-db.com/exploits/18086/)
  138. CVE-2011-4124 - http://crazycoders.com/2011/11/calibre-e-book-reader-local-root-exploitz/ (http://crazycoders.com/2011/11/calibre-e-book -reader-local-root-exploitz /)
  139.  
  140. CVE-2011-1485 - Published: 2011-04-01 - Vulnerability PolicyKit:
  141.  
  142. Discussion at the forum + exploit by SynQ (c) Rdot.org (https://rdot.org/forum/showthread.php?t=1478)
  143. Exploit polkit-pwnage.c by zx2c4 (https://rdot.org/forum/showpost.php?p=20384&postcount=3)
  144. Exploit proven in combat conditions (https://rdot.org/forum/showpost.php?p=26961&postcount=9)<===
  145. http://www.exploit-db.com/exploits/17942/
  146. http://www.securityfocus.com/bid/47496/exploit
  147.  
  148. Published: 2011-01-05 - Methods of raising rights through CAPS:
  149.  
  150. Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) - Published: 2011-01-08 (http://www.exploit-db.com/exploits/15944//)
  151. Linux Kernel CAP_SYS_ADMIN to root Exploit (It only works on 32-bit x86 machines, by Dan Rosenberg) (http://www.exploit-db.com/exploits/15916/)
  152. https://rdot.org/forum/showthread.php?t=1093
  153. Exploit caps-to-root.c (https://rdot.org/forum/showpost.php?p=12081&postcount=2)
  154.  
  155. CVE-2010-3847 - Published: 2010-10-15 - Vulnerability Glibc:
  156.  
  157. The theme is fully (https://rdot.org/forum/showthread.php?t=817)
  158. Symbolic links (https://rdot.org/forum/showpost.php?p=8233&postcount=1) (operation (https://rdot.org/forum/showpost.php?p=8239&postcount=2))
  159. using libpcprofile.so (https://rdot.org/forum/showpost.php?p=8449&postcount=8)
  160. using libmemusage.so (https://rdot.org/forum/showpost.php?p=19265&postcount=21)
  161. three in one at Bache without bekkonekta (https://rdot.org/forum/showpost.php?p=20173&postcount=30)<===
  162. and all this only works if glibc> = 2.4
  163. Details here (https://rdot.org/forum/showpost.php?p=23147&postcount=47)
  164.  
  165. CVE-2010-4344 - Published: 2010-12-11 - Exim
  166.  
  167. CVE-2010-4344 - Exim <= 4.70 Remote Root Exploit (hoagie_exim_string_vformat.c) (http://void.at/exploits/hoagie_exim_string_vformat.c)
  168. CVE-2010-4344 - Exim 4.63 Remote Root Exploit (http://www.exploit-db.com/exploits/15725/)
  169. Forum topic (operation example in version 4.69) (https://rdot.org/forum/showthread.php?t=2315)
  170.  
  171. CVE-2010-4221 - Published: 2010-10-29 - ProFTPD before 1.3.3c
  172.  
  173. CVE-2010-4221 - proftpd IAC remote r00t exploit by kingcope (stack-based buffer overflows in ProFTPD before 1.3.3c) (http://downloads.securityfocus.com/vulnerabilities/exploits/44562.pl)
  174. Forum topic / Rdot.org (https://rdot.org/forum/showthread.php?t=865)
  175.  
  176. CVE-2010-4170 - Published: 2010-11-26 - Vulnerability staprun:
  177. $ Ls -lha / usr / bin / staprun
  178. --- S - x - x 1 root root 63012 Mar 23, 2010 / usr / bin / staprun
  179.  
  180. party Comment Forum (https://rdot.org/forum/showpost.php?p=18637&postcount=82)
  181. http://www.exploit-db.com/exploits/15620/
  182.  
  183. CVE-2010-3904 - Published: 2010-10-19 - Linux RDS Protocol Local Privilege Escalation (> = 2.6.30-2.6.36rc8 19.10.2010):
  184.  
  185. CVE-2010-3904 - Linux RDS Protocol Local Privilege Escalation (by Dan Rosenberg) (http://www.exploit-db.com/exploits/15285/)
  186. Forum topic (https://rdot.org/forum/showthread.php?t=820)
  187. #define AF_RDS 21
  188. #define PF_RDS AF_RDS
  189.  
  190. CVE-2010-3081 - Published: 2010-09-16 (> = 2.6.26 x86_64)
  191.  
  192. Ac1dB1tCh3z original (http://www.exploit-db.com/exploits/15024/)
  193. 5 Ac1dB1tCh3z for Debian lenny (by SynQ (c) Rdot.org) (https://rdot.org/forum/showthread.php?t=1597)
  194.  
  195. CVE-2010-4347 - Published: 2010-12-18 - / sys / kernel / debug / acpi / custom_method
  196.  
  197. CVE-2010-4347 - Linux Kernel 2.6.33 <= x <2.6.37-rc2 x86_64 ACPI custom_method Privilege Escalation (american-sign-language) (http://www.exploit-db.com/exploits/15774/)
  198. CVE-2010-4347 - Linux Kernel 2.6.33 <= x <2.6.37-rc2 32-bit ACPI custom_method Privilege Escalation (by SynQ (c) Rdot.org) (https://rdot.org/forum/showthread. php? p = 16933 # post16933)
  199. CVE-2010-4347 - OpenSUSE 11.3 x86 (by SynQ (c) Rdot.org) (https://rdot.org/forum/showpost.php?p=16930&postcount=9)
  200.  
  201. CVE-2010-4258 - Published: 2010-12-07
  202.  
  203. CVE-2010-4258 - Linux Kernel <= 2.6.37 Local Privilege Escalation (full-nelson, by Dan Rosenberg) 2.6.29 - 2.6.36.2
  204. (Http://www.exploit-db.com/exploits/15704/)
  205.  
  206. CVE-2010-3301 - Published: 2010-09-16
  207.  
  208. CVE-2010-3301 - Linux Kernel x86_64 ia32syscall Emulation Privilege Escalation (robert_you_suck) kernel> = 2.6.29 (http://www.exploit-db.com/exploits/15023/)
  209.  
  210. CVE-2010-4073 - Published: 2011-09-05
  211.  
  212. CVE-2010-4073 - Linux Kerne x86_64 Econet Privilege Escalation Exploit (half-nelson) kernel 2.6.29 - 2.6.36.2 (http://www.exploit-db.com/exploits/17787/)
  213.  
  214. CVE-2010-2959 - Published: 2010-08-27
  215.  
  216. CVE-2010-2959 - Linux Kernel <2.6.36-rc1 CAN BCM Privilege Escalation Exploit (i-can-haz-modharden) kernel> = 2.6.29 (http://www.exploit-db.com/exploits/14814 /)
  217.  
  218. CVE-2010-0832 - Published: 2010-07-12
  219.  
  220. CVE-2010-0832 - Ubuntu PAM MOTD Local Root Exploit (http://www.exploit-db.com/exploits/14339/)
  221.  
  222. CVE-2010-2961 - Published: 2010-09-08
  223.  
  224. CVE-2010-2961 - Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability (http://downloads.securityfocus.com/vulnerabilities/exploits/43084.txt)
  225.  
  226. CVE-2009-3547 - Published: 2009-11-05
  227.  
  228. CVE-2009-3547 - Linux 2.6.x fs / pipe.c local kernel root exploit (x86) (http://crazycoders.com/2012/01/local-x86-fasync-struct-local-pipe-buffer-exploit -nonot-fasync_helper-thts-still-not-patched-this-is-fasync_structmagikal /)
  229.  
  230. CVE-2009-2698 - Published: 2009-09-02
  231.  
  232. CVE-2009-2698 - Linux Kernel 2.6 <2.6.19 (32bit) ip_append_data () ring0 Root Exploit (http://www.exploit-db.com/exploits/9542/)<===
  233.  
  234. CVE-2009-1895 - Published: 2009-07-13 (before 2.6.31-rc3)
  235.  
  236. CVE-2009-1895 - Linux kernel PER_CLEAR_ON_SETID Personality Bypass (CTRL + F "babcia padlina") (http://www.win.tue.nl/~aeb/linux/hh/hh-12.html)
  237. http://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
  238. http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
  239.  
  240. CVE-2009-1185 - Published: 2009-04-30
  241.  
  242. CVE-2009-1185 - Linux Kernel 2.6 UDEV <141 Local Privilege Escalation Exploit (http://www.exploit-db.com/exploits/8572/)
  243. $ Ls -la /etc/udev/rules.d/95-udev-late.rules 2> & 1
  244. $ Ls -la /lib/udev/rules.d/95-udev-late.rules 2> & 1
  245.  
  246. CVE-2009-2692 - Published: 2009-08-24
  247.  
  248. Linux Kernel 2.4 / 2.6 sock_sendpage () ring0 Root Exploit (simple ver) (http://www.exploit-db.com/exploits/9479/)
  249. Linux Kernel 2.4> = 2007 RHEL 3 (by SynQ (c) Rdot.org) (https://rdot.org/forum/showpost.php?p=26327&postcount=441)
  250. [OLD-UPDATED]: NULL pointer deref x86_64 / x86 / x64 / PPC Linux sock_sendpage () and PPC64 (MMAP redone v2) + READ About using vmap () (http://crazycoders.com/2011/11/old-linux -sock_sendpage-null-pointer-deref-x86_64x86x64ppc-and-ppc64-mmap-redone /)
  251.  
  252. linux-sendpage2 - Published: 2009-09-09
  253.  
  254. linux-sendpage2 (http://www.exploit-db.com/sploits/2009-linux-sendpage2.tar.gz)
  255.  
  256. linux-sendpage3 - Published: 2009-08-31
  257.  
  258. linux-sendpage3 (http://www.exploit-db.com/exploits/9545/)
  259.  
  260. CVE: 2009-1337 - Published: 2009-04-08 <2.6.29 exit_notify ()
  261.  
  262. http://www.exploit-db.com/exploits/8369/
  263.  
  264. CVE-2008-568 - Published: 2011-01-10
  265.  
  266. CVE-2008-568 - LOCAL SOLARIS KERNEL ROOT EXPLOIT (<5.10 138888-01) (http://www.exploit-db.com/exploits/15962/)
  267.  
  268. CVE-2008-0009 - Published: 2008-02-09
  269.  
  270. CVE-2008-0009 - Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit (http://www.exploit-db.com/exploits/5092/)
  271.  
  272.  
  273.  
  274. Tools:
  275.  
  276. Automating the collection of information on the server.
  277. https://rdot.org/forum/showthread.php?t=2014
  278. https://rdot.org/forum/attachment.php?attachmentid=280&d=1343389768
  279.  
  280. Enlightenment - Linux Null PTR Dereference Exploit Framework
  281.  
  282. Choose your exploit:
  283. [0] Cheddar Bay: Linux 2.6.30 / 2.6.30.1 / dev / net / tun local root
  284. [1] MooseCox: Linux <= 2.6.31.5 pipe local root
  285. [2] Paokara: Linux 2.6.19-> 2.6.31.1 eCryptfs local root
  286. [3] Powerglove: Linux 2.6.31 perf_counter local root
  287. [4] The Rebel: Linux <2.6.19 udp_sendmsg () local root
  288. [5] CVE-2009-2267: VMWare vm86 guest local root
  289. [6] Wunderbar Emporium: Linux 2.X sendpage () local root
  290.  
  291.  
  292. Forum topic (https://rdot.org/forum/showthread.php?t=153)
  293. http://grsecurity.net/~spender/exploits/enlightenment.tgz
  294. Terms: cat / proc / sys / vm / mmap_min_addr = 0 or is missing
  295.  
  296.  
  297. CLEANING Lair:
  298.  
  299. WhiteCat logcleaner version 1.0 [edition] (https://rdot.org/forum/showthread.php?t=1179)
  300. Log-Wipers (https://rdot.org/forum/showthread.php?t=213)
  301.  
  302. Fastening system:
  303.  
  304. Discussion keyloggers (https://rdot.org/forum/showthread.php?t=1088)
  305. The wrapper for su (https://rdot.org/forum/showthread.php?t=788)
  306. LD_PRELOAD magic. (Https://rdot.org/forum/showthread.php?t=1305)
  307. Ping Backdoor (https://rdot.org/forum/showthread.php?p=21738)
  308. dropbear backdoor (https://rdot.org/forum/showthread.php?t=1955)
  309.  
  310.  
  311. More useful links:
  312.  
  313. http://www.win.tue.nl/~aeb/linux/hh/hh.html
  314. http://www.exploit-db.com/local/
  315. http://www.securityfocus.com/vulnerabilities
  316. https://bugzilla.redhat.com/query.cgi
  317. http://xorl.wordpress.com/
  318. http://th3-0utl4ws.com/localroot/
  319. http://pool-27-1.na.tl:90/Local_Root_Exploits/
  320. http://poc-hack.blogspot.ru/2012/08/kioptrix-hacking-challenge-level-1-part.html <== Video
  321. http://g0tmi1k.blogspot.ru/2012/09/video-21ltr-scene-1.html <== advanced person writes video, a lot of them out there
  322.  
  323.  
  324. Scanned the network to locate the target [Net Discover]
  325. Port scanned the target to discover services
  326. Banner grabbed the services running on the open port (s) [NMap]
  327. Interacted with the web server by testing the default page, then brute forced to discover folders & files in the web root [Firefox & DirB]
  328. Cloned the FTP root folder with credentials learned from the web service [ftp]
  329. Analysed the 'loot' collected from the FTP service, in which to locate an additional file positioned on the web server [grep & cURL]
  330. Impersonated 'Dev Server Backup', and waited for the target to communicate to the attacker using the information collected from the FTP & Web services [Unicorn Scan & IPTables & NetCat]
  331. Injected a PHP payload into the backup logs, creating a backdoor into the system [Netcat & WebHandler]
  332. Discovered unprotected SSH credentials, which, as it turns out are for a 'privileged' account
  333. [U] Used a kernel exploit to modify a restricted file to view what additional functions the wheel group can execute [UDEV]
  334. Downloaded the user credentials for the operating system and brute forced the passwords [John The Ripper]
  335. Remote logged back into the system via SSH and logged in with valid credentials for the super user
  336. Discovered the flag in a different user's home folder, which has been deleted but not yet, removed from the operating system
  337. Explored the 'backup service' which was also triggered at the same time as the log port.
  338.  
  339.  
  340.  
  341.  
  342.  
  343. Other methods of increasing privileges:
  344.  
  345. nginx.conf writable (https://rdot.org/forum/showthread.php?p=29581)
  346. suid IPTABLES (example how to be pro) (https://rdot.org/forum/showthread.php?t=3342)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!