Author
This was a fairly easy Linux box that involved exploiting a local file inclusion and remote code execution vulnerability in GitLab to gain remote access to the machine, obtaining administrative access to GitLab through the console to find a user’s private key and exploiting a PATH hijack vulnerability within a SUID script to escalate privileges to root.
Read moreThe Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.
If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.
Read moreThis was an easy Linux box that involved exploiting a MySQL injection vulnerability to bypass authentication and obtain SSH credentials to gain remote access to the box and exploiting MySQL user-defined functions to execute commands as root and escalate privileges.
Read moreServer Message Block is a network protocol used to provide shared access to files, printers, and serial ports between nodes on a network. SMB servers can be accessed through various command-line tools such as SMBClient or through file browsing tools. This service runs on either port 139 or port 445 by default.
This guide will cover the main methods to enumerate an SMB server in order to find potential vulnerabilities or misconfiguration.
Read moreThis was an easy Linux box that involved exploiting a remote command execution vulnerability in the LotusCMS web application to gain initial access, cracking a MySQL user’s hash to gain user access, and exploiting a text editor set to run with Sudo permissions to escalate privileges to root.
Read moreDLLs (Dynamic Link Library) are libraries that contain code and procedures used by Windows programs. They are similar to EXE files as they are based on the Portable Executable (PE) file format although they cannot be executed directly. They are similar to .so (Shared Library) files in Unix.
DLL hijacking is a method of injecting malicious code into a given service or application by loading an evil DLL, often replacing the original one, that will be executed when the service starts. This is possible due to the way some Windows applications search and load DLLs, more specifically, if the path to a service’s DLL isn’t already loaded or stored in the system, Windows will start looking for it in the environment path, an attacker can therefore place the malicious DLL in a directory that is part of it to trigger the malicious code.
Read moreThis was an easy Linux machine that involved exploiting an SQL injection to authenticate into a web application, exploiting a remote command execution vulnerability to gain remote access and using a kernel exploit to escalate privileges to root.
Read moreThis was a fairly easy Linux machine that involved exploiting an SQL injection vulnerability and cracking a user hash found in the database in order to gain initial access and a vulnerability in the Webmin web application, through SSH tunneling, to escalate privileges to root.
Read moreThis was a really easy Linux box that involved exploiting known vulnerabilities in outdated versions of the Apache web server software and the Samba service in order to gain root access. No privilege escalation was required.
Read moreLinux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.
When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.
There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.
Read more