UBUNTU 14.04.2 PRIV ESCALATION CODE
This code can be compiled and added to the share. And then execute it with your low privilege shell. Then you can create a file and set it with suid-permission from your attacking machine. So when I open a normaluser session and want to run an application with admin privilege, I open a terminal Ctrl+Alt+T and: su adminuser sudo anyapplication. A 2nd one without any privilege > lets call it normaluser and I configure the autologin on this 2nd user normaluser. If it says that it is the root-user that has created the file it is good news. one with admin privilege (with sudo right) > lets call it adminuser. Test if you can create files, then check with your low-priv shell what user has created that file. If you have write privileges you can create files. If either of the above options are enabled however, it will allow you to create files as your own UID and GID, allowing you to impersonate users on the remote machine. When mounting an nsf drive remotely, or as any user, it will under default mount the drive as nfsnobody. Ideally, we'll see that no_root_squash or no_all_squash is enabled. There are some options within this, related to each share, that it's important to keep track of. To see any available exports locally, the /etc/exports file will show all the required information. # If it does, then mount it to your filesystem # First check if the target machine has any NFS shares If you find that a machine has a NFS share you might be able to use that to escalate privileges. Then using either an SSH tunnel or a meterpreter instance, we can port-forward this to our attacking machine. Querying can be performed in the following manner: netstat -tulpn # net-tools The classic is mysql, as this will often be running internally on 3306 but not externally. Ocassionally these will be running with either escalated privileges or will allow you to pivot to another user who might allow you to find another point to escalate.
One critical task that you'll need to perform is querying for internal ports that aren't running externally. Running the below script will parse the active processes every second and output any changes, which may indicate a hidden cron job. In some situation, cron jobs may be hidden from all users, in a users own crontab. The following files and commands are also worth enumerating to see if anything's been misconfigured and the cron itself is visible publicly. Ideally we'll have a vulnerable command being run that we can then exploit. The cron job format is in the following: The first thing you should do is run one or more of these, save the output they give you and just read them. Viewing /etc/crontab is of course the classic. When enumerating a Linux system, there are an absolute tonne of scripts which can do all the dirty work for you: LinEnum.sh. These tasks offer a whole avenue for exploitation as they are often quickly coded and can introduce all sorts of vulnerabilities. Very simply, a cronjob is a task set on a timer, for example every 15 minutes or every 3rd day of the month.
Tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root Tcpdump echo $'id\ncat /etc/shadow' > /tmp/.test You need to run more on a file that is bigger than your screen. Awk awk 'BEGIN ' įrom less you can go into vi, and then into a shell. The following standard Unix tools have many easy ways to perform arbitrary code execution if you find yourself in a situation enabling you to execute them as a privileged user. Many older applications have vulnerabilities that can lead to code execution so that is also worth reading up on.
UBUNTU 14.04.2 PRIV ESCALATION FULL
Some binaries are moving away from the concept of SUID and towards capabilities, as there's very little reason for many binaries to have full privileged execution: #Find SUIDĪlso perform a check of any sudo commands you can run as a privileged user: sudo -lĬheck any binaries in the above lists, both what they do and the version number. To find any SUID or GUID files run the following commands. These can either be via sudo or the SUID/GUID bit, but in effect it's about taking an application that is running as a privileged user and performing code execution. This section will describe two attack vectors that are effectively the same, and that is of Linux applications running with elevated privileges. The holy grail of Linux Privilege Escalation.
Put that c0w down and let's see how we can exploit the low hanging fruit.
0 kommentar(er)
