Title: Linux Post Exploitation and Privilege escalation_2Author: unknowndevice64
Linux elevation of privileges, manual testing
Things to look: Miss-configured services (cronjobs), incorrect file permissions (exportfs, sudo), miss-configured environment ($PATH), binary with SUID bit, software or OS with known vulnerabilities.

First try simple sudo:
$ sudo su -

What can we run with sudo?
$ sudo -l

Try su as all users and the username as password
What services are running as root?:
$ ps aux | grep root

Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.

If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.

The following command will list processes running by root, permissions and NFS exports.
$ echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

Use netstat to find other machines connected
$ netstat -ano

Command to skip ignored lines in config files
$ alias nonempty="egrep -v '^[ \t]*#|^$'"

If Mysql is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
sys_exec('usermod -a -G admin username')

More about mysql:
https://www.a


Submitted On: 2019-05-17 15:10:19