Difference between revisions of "Privilege Escalation"
(Created page with "Once you've spawned a shell on the box that you're pentesting on, you might wonder; "What's next?". Hopefully this article will alleviate some of those questions. One of the...") |
(No difference)
|
Latest revision as of 05:36, 8 July 2015
Once you've spawned a shell on the box that you're pentesting on, you might wonder; "What's next?". Hopefully this article will alleviate some of those questions.
One of the first things you would want to do is escalate your permissions from that of, persay, 'apache' or 'nobody' to the 'root' or super user. This requires a bit of luck, critical thinking and having a bad administrator, like most hacking or pentesting. The most common way of escalating permissions is by a local root exploit which preys upon an outdated kernel which has a bug that results in either code execution or some kind of unintended action resulting into your code being executed.
Privilege Escalation - *NIX
In this section we will assume that you have access to run commands on the server that you are trying to escalate privileges on.
One of the first things to check would be the kernel version by running this command:
$ uname -a Linux hostname 4.0.5-1-ARCH #1 SMP PREEMPT Sat Jun 6 18:37:49 CEST 2015 x86_64 GNU/Linux
This should show you information about the Kernel version being used (4.0.5-1), what date the Kernel was built on (the important part is the year, 2015) and the architecture (x86_64). The information gathered from this is very important so that you can pick a local root exploit that works on your system.
Here are some popular and well known local root exploits, check and see if any of these will work for your kernel version.
mempodipper semtex perf_swevent half_nelson pipe_c udp_sendmsg sock_sendpage dzug_c perf_events
A simple google search or checking https://exploit-db.com/ will provide you with the source code. Most of these exploits can be compiled like so:
gcc -o YOUR_EXPLOIT the_exploit.c