Skip to content

Exploits


Misconfigurations

  • Custom Systemd timers

Setuid binaries

  • Look for setuid binaries in places not managed by package manager
  • Look for non-default setuid binaries

Find files owned by user/group

# Find files owned by user
find /var -user vivek

# Find files owned by group
find /home -group ftpusers

Race Conditions

Use Inotify to hook to system file creation events and exploit race conditions How to Use inotify API in C Language – Linux Hint

Sample Code to hook to file events.


Greb For passwords by entroy

Password policies enforce users to create passwords with high entropies. Entropy is a measure of randomness πŸ˜Άβ€πŸŒ«οΈ. A high entropy password is a password with the following charchteristics: - No repeating sequences of characters - Special characters - Upper case - Lowercase

for i in $(grep -oP "('.*?')" -R --no-filename .); do x=$(echo -n $i | ent | grep Entropy | awk '{print $3}'); echo "$x $i"; done | sort -n

Misc

Using timestamp to identify custom files in directories managed by package manager

Manual

  • Check timestamp of files in directories managed by package manager to identify files modified by users.
    ls -la --time-style=full
    
  • Lots of packages don't recored the milisecond or last part of time stamp. If u interact with it that part isn't zereod out.
  • Check for [[Linux/Miscellaneous#Linux Directories]] modified by user whom are supposed to be managed by package manager

Automated

#!/bin/bash
paths=$(echo $PATH | sed 's/:/ /g')
for i in $paths; do ls -la --time-style=full $i | grep -v '\-\>\|00000' 2>/dev/null ; done

Check out Config files in their [[Linux/Miscellaneous#Config Files Default Locations| Default Locations]]


Docker

  • Check ls -la / to see if there is any docker.env file
  • Check out the running app config files
  • Use [[Linux/Priv Esc/Tools#Docker]]

Brute force suing to accounts

hemp3l/sucrack: brute-forcing su for fun and possibly profit (github.com)

Creds in files

AWS

~/.aws/credentials

Tools

Docker

stealthcopter/deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) (github.com)

Linux

privilege-escalation-awesome-scripts-suite/linPEAS at master Β· carlospolop/privilege-escalation-awesome-scripts-suite (github.com)