Take your time. Don't try to do too much at once. Remember small steps - don't try to jump to root using rshell. Maybe run a few commands to see what they do
Once you've found the patch to escalation click here:
https://github.com/Ignitetechnologies/Privilege-Escalation
If you get an error "su: must be run from a terminal"
use one of the shell fixes above
Are you a sudo user already? Do you have access to powerful commands like chown or chmod?
Are you part of the sudo group, but not in the sudoers file?
What can we run with sudo?
Try su as all users and the username as password
User bash history
Spawning root shells
Create a copy of /bin/bash or /bin/sh can you call it rootbash - make sure its owned by the root user. Then use /bin/bash -p to run it
Questions to ask yourself
What user with what permissions + where am I?
What usernames could I login as?
What architecture?
Whats running on the machine?
look for something(s) that are running which is not standard
What files does the user have permission?
What services are running?
if things are here that are not on the nmap scan - could be a firewall rule blocking it is mysql in there? If so creds will be stored somewhere on the box
What is installed?
Run on target
Copy /tmp/packages.txt which it has created back to your machine and then run
What kernel version - low hanging fruit?
What web app creds can i find?
Research where creds would be stored on certain webapps
Can you see the shadow file - get lucky?
What services are running as root?:
Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.
If you can write to any of these files or directories you have a good chance of PE
If you have found a download it to your box and open it in Ghidra. Check the main function to view de-compiled commands interesting binary SUID files / binaries
Things to remember:
Run strings on the binary. Read all of it, don't just read the bottom of the output - read the top. Look for programs that the binary calls like curl. If you spot one then if it doesn't have its full path you can exploit it by modifying the path variable and creating a file with /bin/bash. See box symofonos:1.
The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root
Capabilities
Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
Capabilities name
Description
CAP_AUDIT_CONTROL
Allow to enable/disable kernel auditing
CAP_AUDIT_WRITE
Helps to write records to kernel auditing log
CAP_BLOCK_SUSPEND
This feature can block system suspends
CAP_CHOWN
Allow user to make arbitrary change to files UIDs and GIDs (full filesystem access)
CAP_DAC_OVERRIDE
This helps to bypass file read, write and execute permission checks (full filesystem access)
CAP_DAC_READ_SEARCH
This only bypass file and directory read/execute permission checks
CAP_FOWNER
This enables to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
CAP_KILL
Allow the sending of signals to processes belonging to others
CAP_SETGID
Allow changing of the GID
CAP_SETUID
Allow changing of the UID (set UID of root in you process)
CAP_SETPCAP
Helps to transferring and removal of current set to any PID
CAP_IPC_LOCK
This helps to lock memory
CAP_MAC_ADMIN
Allow MAC configuration or state changes
CAP_NET_RAW
Use RAW and PACKET sockets
CAP_NET_BIND_SERVICE
SERVICE Bind a socket to internet domain privileged ports
CAP_SYS_CHROOT
Ability to call chroot()
World-writable folders
World-executable folders
World-writeable & executable folders
gives a bit more info
Word writable directories for root
Look for binaries with the SUID or GUID bits set.
In plain English, this command says to find files in the / directory owned by the user root with SUID permission bits (-perm -4000), print them, and then redirect all errors (2 = stderr) to /dev/null (where they get thrown away). The reason for this redirect is that we aren't interested in things that we can't access, and access denied errors can fill up a terminal pretty fast.
Adding a binary to PATH, to hijack another SUID binary invokes it without the fully qualified path.
If you can get root to execute anything, the following will change a binary owner to him and set the SUID flag:
/etc/shadow overwrite
If a SUID binary allows you to write to a file, overwrite /etc/shadow with the following then su to root using password rowbot
Check running services and installed applications
ps -ef cat /etc/services dpkg -l rpm -qa
An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box
If MYSQL is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
More about MYSQL:
Command to skip ignored lines in config files
Find Linux distribution & version
Check versions - use in conjunction with searchsploit
If you can just change PATH, the following will add a poisoned ssh binary:
Generating SUID C Shell for /bin/bash
Compile using gcc -o <name> <filename.c>
Without interactive shell
If /etc/passwd has incorrect permissions, you can root:
or
Add user www-data to sudoers without password
If you can sudo chmod:
Wildcard injection if there is a cron with a wildcard in the command line, you can create a file, whose name will be passed as an argument to the cron task, For more info:
compile exploit fix error
Find other uses in the system
World readable/writable files:
Find world-readable files:
Find nobody owned files
Add user to sudoers in python.
Ring0 kernel exploit for 2.3/2.4
Inspect web traffic
Scripts to run
Copy them over
Creates folder /tmp/rowbot and copies files on kali web server to target
What is running, any cron jobs any scripts? Use PSPY to find out
Useful script to run for initial scan - displays info on box
Use this tool first to help you get in the PE mindset.
SUID search - good tool
Automatically downloads and compiles exploit
The following script runs exploit suggester and automatically downloads and executes suggested exploits:
Linux Remote Exploits
Kernelpop
automated kernel vulnerability enumeration and exploitation
Remember to run them again if you get a user shell not just www-data shell
LinuxPrivchecker.py
Exploits worth running
Always be sure to read the comments in exploits they inform you about which systems and version are vulnerable, which parts of the script need modification & which compilation flags to use. $targetip 32 bit or 64 bit? Be mindful of this when compiling exploits.
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
netstat -ano
id
su
sudo -l
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers # who is in there are you?
ls -alh /var/mail/
ls -ahlR /root
ls -ahlR /home/
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 {print $1}' #any other super users?
echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
or
echo "root:JblITMXA7I1hg:0:0:root:/root:/bin/bash" > /etc/passwd
then su using password rowbot
openssl passwd
#put in password, output is random sting
#pass this on the x part of root in /etc/passwd
su root using the password u set
uname -r : Find Linux kernel version.
cat /proc/version : Show Linux kernel version with help of a special file.
hostnamectl | grep Kernel : For systemd based Linux distro you can use hotnamectl to display hostname and running Linux kernel version.
