0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-08-21 14:40:36 +00:00 committed by gitbook-bot
parent ac38cb05fe
commit 23e574f503
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 97 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
linux-unix/privilege-escalation/README.md
View file

@ -4,7 +4,34 @@ Do you want to **know** about my **latest modifications**/**additions or you hav
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
## Kernel exploits ## System Information
### OS info
Let's starting gaining some knowledge of the OS running
```bash
(cat /proc/version || uname -a ) 2>/dev/null
lsb_release -a 2>/dev/null
```
### Path
If you **have write permissions on any folder inside the `PATH`** variable you may be able to hijacking some libraries or binaries:
```bash
echo $PATH
```
### Env info
Interesting information, passwords or API keys in the environment variables?
```bash
(env || set) 2>/dev/null
```
### Kernel exploits
Check the kernel version and if there is some exploit that can be used to escalate privileges Check the kernel version and if there is some exploit that can be used to escalate privileges
@ -57,6 +84,75 @@ You can check if the sudo version is vulnerable using this grep.
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]" sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
``` ```
### Date, system stats and CPU info
```bash
date 2>/dev/null #Date
(df -h || lsblk) #System stats
lscpu #CPU info
```
### Dmesg signature verification failed
Check **smasher2 box of HTB** for an **example** of how this vuln could be exploited
```bash
dmesg 2>/dev/null | grep "signature"
```
### Printers
```bash
lpstat -a 2>/dev/null
```
### Enumerate possible defenses
#### AppArmor
```bash
if [ `which aa-status 2>/dev/null` ]; then
aa-status
elif [ `which apparmor_status 2>/dev/null` ]; then
apparmor_status
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
ls -d /etc/apparmor*
else
echo "Not found AppArmor"
fi
```
#### Grsecurity
```bash
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")
```
#### PaX
```bash
(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")
```
#### Execshield
```bash
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")
```
#### SElinux
```bash
(sestatus 2>/dev/null || echo "Not found sestatus")
```
#### ASLR
```bash
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
#If 0,not enabled
```
## Software exploits ## Software exploits
Check for the **version of the installed packages and services**. Maybe there is some old Nagios version \(for example\) that could be exploited for gaining privileges… Check for the **version of the installed packages and services**. Maybe there is some old Nagios version \(for example\) that could be exploited for gaining privileges…