PATHvariable you may be able to hijacking some libraries or binaries:
--inspectparameter inside the command line of the process. Also check your privileges over the processes binaries, maybe you can overwrite someone.
/dev/memprovides access to the system's physical memory, not the virtual memory. The kernels virtual address space can be accessed using /dev/kmem. Typically,
/dev/memis only readable by root and kmem group.
.servicefile, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped (maybe you will need to wait until the machine is rebooted). For example create your backdoor inside the .service file with
.service) that is executing a writable binary
man systemd.socket. Inside this file some several interesting parameters can be configured:
ListenUSBFunction: This options are different but as summary as used to indicate where is going to listen the socket (the path of the AF_UNIX socket file, the IPv4/6 and/or port number to listen...).
Accept: Takes a boolean argument. If true, a service instance is spawned for each incoming connection and only the connection socket is passed to it. If false, all listening sockets themselves are passed to the started service unit, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. Defaults to false. For performance reasons, it is recommended to write new daemons only in a way that is suitable for
ExecStartPost: Takes one or more command lines, which are executed before or after the listening sockets/FIFOs are created and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process.
ExecStopPost: Additional commands that are executed before or after the listening sockets/FIFOs are closed and removed, respectively.
Service: Specifies the service unit name to activate on incoming traffic. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option.
.socketfile you can add at the beginning of the
[Socket]section something like:
ExecStartPre=/home/kali/sys/backdoorand the backdoor will be executed before the socket is created. Therefore, you will probably need to wait until the machine is rebooted. Note that the system must be using that socket file configuration or the backdoor won't be executed
.socketfiles), then, you can communicate with that socket and maybe exploit a vulnerability.
/var/run/docker.sockand is only writable by
dockergroup. If for some reason you have write permissions over that socket you can escalate privileges. The following commands can be used to escalate privileges:
socatto execute commands into the new docker.
socatto initiate a connection to the container, sending an attach request
dockeryou have more ways to escalate privileges. If the docker API is listening in a port you can also be able to compromise it.
ctrcommand read the following page as you may be able to abuse it to escalate privileges:
runccommand read the following page as you may be able to abuse it to escalate privileges:
<policy>). Policies to the context "default" affects everyone not affected by other policies (
root, it is now trivial to get a shell by adding an ssh key into the root directory or by calling