11. More Linux Privesc

Eleventh section in Complete Beginner learning path.

Introduction

A variety of examples of potential Linux privilege escalation techniques.

Service Exploits

If MySQL service is running as root and the "root" user for the service does not have a password assigned, this exploit can be used to run system commands as root via MySQL. Once this is downloaded to the target, follow the instructions in the comments of the exploit code to run it & achieve root.

Readable /etc/shadow

If /etc/shadow is world-readable, you can cat this out and send the password hashes to John the Ripper to attempt to crack them & access root/super users.

Writable /etc/shadow

If /etc/shadow is world-writable, we can generate a new password hash using:

mkpasswd -m sha-512 [password]

Then we simply edit /etc/shadow and replace the root users password hash with our new one.

Writable /etc/passwd

If /etc/passwd is writable we can create a new root user by copying the current root user's row and changing the username to something like "root2" and replacing the "x" password. To generate a usable password we can use:

openssl passwd [password]

Sudo - Shell Escapes

GTFOBins can be used to find shell escapes for various programs that run on Linux machines.

History Files

History files can be viewed using cat ~/.*history | less, you may be able to see failed commands with password contents here.