Главная » Linux

Linux privilege escalation cheat sheet

Содержание
  1. Privilege Escalation cheatsheet
  2. Windows
  3. Kernel Exploits
  4. Common Kernel Exploits
  5. Config files
  6. GPP(Group Policy Preferences)
  7. Other Files
  8. Other Misc Passwords
  9. Unquoted Services Paths (trusted service paths)
  10. PFNet
  11. Insecure Service Permissions
  12. DLL Hijacking
  13. Useful commands
  14. Linux
  15. Scripts & Tools
  16. Kernel Exploits
  17. Services Running as root
  18. SUID Executables
  19. Sudo rights / users
  20. Cron jobs
  21. Wildcards
  22. Path Abuse (‘.’ in path)
  23. Linux privilege escalation cheat sheet
  24. Hacking Articles
  25. Privilege Escalation Cheatsheet (Vulnhub)
  26. Table of Content
  27. Abusing Sudo Rights
  28. SUID Bit
  29. Kernel Exploit
  30. Path Variable
  31. Enumeration
  32. MySQL
  33. Crontab
  34. Wildcard Injection
  35. Capabilities
  36. Writable /etc/passwd file
  37. Writable files or script as root
  38. Buffer Overflow
  39. Docker

Privilege Escalation cheatsheet

Windows

Kernel Exploits

  • systeminfo -> look up missing kb’s
  • systeminfo | findstr /B /C:»OS Name» /C:»OS * Version»`
  • sherlock -> Find-AllVulns powershell
  • 0xsp Mongoose

Common Kernel Exploits

  • [MS16-014]( https://www.exploit-db.com/exploits/40039) — applies to: Windows 7 SP1 x86
  • [MS16-016]( https://www.exploit-db.com/exploits/39432) — ‘WebDAV’ applies to Windows 7 SP1 x86 (Build 7601)
  • [MS16-032]( https://www.exploit-db.com/exploits/39719) — applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2
  • [CVE-2020-0796]( )-applies to : SMBv3 Enabled on Windows Operation Systems
  • [MS16-075](a href=»https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075″>)
  • CVE-2019-1388

Config files

GPP(Group Policy Preferences)

Only applicable for devices connected to a domain

Other Files

Other Misc Passwords

powerup:

  • Get-WebConfig (ISS > web.config

putty:

  • reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Tight VNC:

  • reg query HKCU\Software\TightVNC\Server
  • bncpwd.exe

Always Install Elevated:

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
  • reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
    • both values = 1, created a malicious .msi file with msfvenom for example
    • execute it with msiexec /quiet /qn /i

powerup:

Unquoted Services Paths (trusted service paths)

For each space in a file path, windows will attempt to look for and execute programs with a name that matches the word in front of the space.

  • C:\Program Files\Some Folder\Service.exe
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe

PFNet

Start and stop the service:

  • sc stop PFNet
  • sc start PFNET

Powerup:

  • Get-ServiceUnquoted
  • Write-ServiceBinary -Name -Path

Insecure Service Permissions

Write access to a service as authenticated user?

W-XP ssdprsv and upnphost by default:

Powerup:

  • Get-ModifiableService
  • Test-ServiceDaclPermission
  • Invoke-ServiceAbuse -Name -Command

DLL Hijacking

Requires user interaction / reboot.

DLL search order on 32-bit systems:

You can use procmon to look for vulnerable dll’s using the following filters:

  • Result is NAME NOT FOUND Include
  • Path ends with .dll

Generate a malicious payload with msfvenom

Windows 7 x86/64:

  • IKE and AuthIP IPsec Keying Modules (IKEEEXT) — wlbsctrl.dl

Powerup:

  • Find-PathDLLHijkack
  • Find-ProjcessDLLHijkack
  • Wire-HijkackDll

Schedulded tasks:

On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any .exe‘s and can you overwrite?

Can you create a task yourself?

  • net start «Task Scheduler» at /interactive «path to evil exe»

Powerup:

Useful commands

Linux

Scripts & Tools

  • 0xsp Mongoose
  • Linux-Enum-Mod
  • linux-exploit-suggestor

Kernel Exploits

  • Mongoose 0xsp
  • uname -a -> searchsploit
  • linux-exploit-suggestor

Common Kernel Exploits

Services Running as root

  • ps -aux | grep root
  • any shell escape sequences?

SUID Executables

  • runs with permissions of the owner
  • find / -perm -u=s -type f 2>/dev/null
  • any shell escape sequences — do we have write access?

Sudo rights / users

  • sudo -l
  • what can we execute -> any shell escape sequences

Cron jobs

Wildcards

  • often combined with user interaction / cronjobs
  • cfr. Back to the Future: Unix Wildcards Gone Wild paper
  • wild cards can be utilized to inject arbitrary command by creating files that are seen as commands
Читайте также:  Mac os как разделять диск

Path Abuse (‘.’ in path)

Requires user interaction (eg somebody need to have . in their path)

Источник

Linux privilege escalation cheat sheet

Linux — Privilege Escalation

There are many scripts that you can execute on a linux machine which automatically enumerate sytem information, processes, and files to locate privilege escelation vectors. Here are a few:

  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • Shows users logged onto the host
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
    • Basic SSH checks
  • Privileged access:
    • Which users have recently used sudo
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
    • Displays env information
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
    • List the active and inactive systemd timers
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
      • Checks user config
      • Shows enabled modules
      • Checks for htpasswd files
      • View www directories
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • Locate files with POSIX capabilities
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail
  • Platform/software specific tests:
    • Checks to determine if we’re in a Docker container
    • Checks to see if the host has Docker installed
    • Checks to determine if we’re in an LXC container

Looting for passwords

Files containing passwords

Old passwords in /etc/security/opasswd

The /etc/security/opasswd file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.

⚠️ Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes

Last edited files

Files that were edited in the last 10 minutes

Источник

Hacking Articles

Raj Chandel’s Blog

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience.

Читайте также:  Azurewave bluetooth driver windows 10 x64

NOTE: This is a brief version of this Cheatsheet. For the complete privilege escalation Cheatsheet visit our GitHub page.

Table of Content

  1. Abusing Sudo Rights
  2. SUID Bit
  3. Kernel Exploit
  4. Path Variable
  5. Enumeration
  6. MySQL
  7. Crontab
  8. Wildcard Injection
  9. Capabilities
  10. Writable etc/passwd file
  11. Writable files or script as root
  12. Buffer Overflow
  13. Docker

Abusing Sudo Rights

The word sudo stands for Super User and Do. Basically, the keyword ‘sudo’, when used as a prefix to a command will allow you to run the said command as root without changing your user. When you run any command along with sudo, it will ask for root privileges in order to execute the command and here, Linux will confirm if that particular username is in the sudoers file. If the information matches to the sudoers file then that command will run and if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command. So, we can manipulate such rights and use them to our advantage as we have done it many CTF’s.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/

SUID Bit

Set User ID (SUID) is a form of permission that lets the user execute any file with the permissions of a certain user. Those files which have suid permissions run with higher privileges. The maximum number of bits is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x. But when special permission is given to each user it becomes SUID, SGID, and sticky bits. When extra bit “4” is set to the user (Owner) it becomes SUID (Set user ID), then it will look like as rwsr-xr-x. SUID bits can be manipulated by changing the permission of a file so that we can execute or write it in as we choose to in order to gain access and do the needful.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Kernel Exploit

Kernel exploit is one of the most commonly used exploits nowadays as it is the most advanced attack there is today. It works for both Windows and Linux. In this attack, malicious code evades and takes control of the root/administrator to bypass user control access and as it abuses kernel.

Path Variable

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user runs any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

Enumeration

Enumeration is a phase of attacking where the attacker focuses on traversing through the system and network in order to find useful information such as password hashes, active connections, etc. During this, bash history and config files come handy as they often have the most useful data of which an attacker can take advantage.

Читайте также:  Что такое windows contact

MySQL

MySQL provides a mechanism by which the default set of functions can be expanded by means of a custom written dynamic libraries containing User Defined Functions, or UDFs.

Crontab

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

Wildcard Injection

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken therefore one can take the privilege of it to execute an arbitrary command using a wild asterisk (*) argument.

Capabilities

Capabilities are referred to if there are any additional privileges given to a file or directory. This can also be manipulated to our own advantage in order to achieve the desired goal. It can override the permissions or the READ access to a filesystem along with the ability to call chroot.

Writable /etc/passwd file

/etc/passwd file is the one where passwords and usernames are saved with their every detail possible. So, if by chance you find that this file is writable then you can add your own user with or without password and bypass access control of the system.

Writable files or script as root

Sometimes, there are often files which are writable. Such files can be edited with our developed malicious code. This code can either run as root or can run to gain root access. Thus, the writable files are quite important for privilege escalation.

Buffer Overflow

A buffer is a sequential segment of the memory allocated to hold anything like a character string or an array of integers this particular vulnerability exists when a program tries to put more data in a buffer than it can contain or when a program tries to insert data in memory set past a definitive buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

Docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency. The only reason it is widely used than VMware is due to its efficiency. In Docker, all of the commands require sudo prefixing them. Docker design modules intrinsically give significant rights to any user who has access to the daemon. The Docker daemon allows access to either the root user or any user in the ‘docker’ group. This means being a member of the ‘docker’ group is same as gaining permanent root access.

Источник

Оцените статью
© 2024 Советы по настройке компьютера