find / -perm -o w -type d 2>/dev/null : Find world-writeable folders
find / -perm -o x -type d 2>/dev/null : Find world-executable folders
We can also find programming languages and supported languages: find / -name perl*, find / -name python*, find / -name gcc* ...etc
find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user. This is important!
We can even make use of "grep", "locate", "sort"...etc
Automated Enumeration Scripts:
In real life we dont get much time to do enumeration so we can make use of some cool automated scripts like follows,
After finding the version of Kernel simple google for that exploit or you can also use "Linux Exploit suggester"
Once you find the exploit for the privesc, transfer the payload from your machine to target machine and execute and you're good to go.
In an example I worked out with overlayfs exploit and got higher privileges
Sudo:
This one of the first step to do, when you get access to the machine just simpley run "sudo -l", which lists all the files that we can run as root without any password
Once you have any to run then navigate to https://gtfobins.github.io/ and search for is the one specified is a system program or else modify the file with "/bin/sh" and run that
GTFO bins is going to be saviour!
SUID:(Set owner User ID)
Its a kind of permission which gives specific permissions to run a file as root/owner
This is really helpful to test.
find / -perm -u=s -type f 2>/dev/null this will list all the suid files
Then later search in GTFObins and look for the way to bypass
Only googling works here, for example we can simply use /etc/shadow and /etc/passwd to find the user passwords
Capabilities:
Capabilities are a bit similar to the SUID
Capabilities provide a subset of root privileges to a process or a binary
In order to look for them use getcap -r / 2>/dev/null
Find the binary and check that on GTFOBins where there's a function for Capabilities and try out those any of them will work!
In the example they provided a capability for vim and I used ./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' which is provided in the website itself and I got root!
Remember that this process is hit or trail, if it doesnt work move on!
Cron jobs:
Crons jobs are used for scheduling! Here we can schedule any binary/process to run.
Interesting part here is that by default they run with the owner privileges.
But if we find any cron-job which we can edit then we can do a lot!
Cron job config is stored as crontabs
To view crontab, cat /etc/crontab
Any one can view it!
Now we'll can see some cron-jobs see whether you can edit or not, if you can then edit with some reverse shell and listen!
PATH:
PATH is an environment variable
In order to run any binary we need to specify the full path also, but if the address of file is specified in PATH variable then we can simpley run the binary by mentioning its name, like how we run some command line tools like ls, cd,....etc
In order to view the content in PATH variable we need to run echo $PATH and the outpur will be something like this usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
So whenever you use a tool without specifying path it searches in PATH and it runs!
We can even add new path to PATH variable by export PATH=<new-path>:$PATH
Also we need to find a writable paths so run find / -writable 2>/dev/null
In the example I found a location where there's a script when I run its showing that "thm" not found, also it can be run as ROOT
So I created a binary like echo "/bin/bash" > thm and gave executable rights then later added the path where thm located to PATH variable and now when I ran the binary then I got root!
NFS:(Network File Sharing)
In order to view the configuration of NFS run cat /etc/exports or also we can type showmount -e <target IP> on our machine to find the mountable shares.
In the output look for directories having no_root_squash, this means that the particular share is writable, hence we can do something to acquires root!
Now after getting some directories where we can play around lets navigate to our attacker machine and create a sample directory anywhere like /tmp...etc
Now we need to mount to the target machine by,
mount -o rw <targetIP>:<share-location> <directory path we created>, here rw means read, write privileges.
Now go to the folder we created and create a binary which gives us root on running.
Then go back to the target machine and we can view the binary we created in the place we mounted, now run that and get root privileges!(do note that giving executable rights is not sufficient, we also need to give share rights by chmod +s <binary>)