Trên lab Kali hack M2 ta có hướng đánh vài distcc v1 và có shell (1) , sau đó nâng shell lên TTY shell (2)
Bây giờ là lúc tìm cách leo thang. Hãy tham khảo các bài viết leo thang qua SUID Exe tại đây:
hoặc hướng dẫn sau …
SUID (Set User ID) is a type of permission which is given to a file and allows users to execute the file with the permissions of its owner. There are plenty of reasons why a Linux binary can have this type of permission set. For example the ping utility require root privileges in order to open a network socket but it needs to be executed by standard users as well to verify connectivity with other hosts.
However some of the existing binaries and utilities can be used to escalate privileges to root if they have the SUID permission. Known Linux executables that can allow privilege escalation are:
The following commands can discover all the SUID executables that are running on the system. More specifically the commands will try to find files in the / directory owned by the user root that have the SUID permission bits, print them and then redirect all errors to /dev/null in order to list only the binaries that the user has permissions to access.
All of the binaries above will executed with root privileges since they contain the “s” in their permissions and they are owned by the root user.
Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.
The interactive mode can start by executing Nmap with the parameter “interactive”
The following command will give an elevated shell.
Alternatively there is a Metasploit module which performs privilege escalation via SUID Nmap binaries.
The utility find can be used to discover stored on the system. However it is the ability to execute commands. Therefore if it is configured to run with the SUID permission all the commands that will executed through find will be executed as root.
Since the majority of the Linux operating system have netcat installed it is possible to upgrade the elevated command execution into a root shell.
Connecting into the opened port will give a root shell.
The main use of Vim is to be text editor. However if it runs as SUID it will inherit the permission of the root user and therefore it could read all files on the system.
Further root activities can be done by running a shell through Vim.
The following command will open a bash shell as root.
The utility Less can also execute an elevated shell. The same principle applies and for the More command.
Performing privilege escalation by misconfigured SUID executables is trivial. Therefore administrators should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.