joey-world Posted April 16, 2014 Share Posted April 16, 2014 Here is the deal I was testing what would happen if someone was able to get into one of the regular user accounts through ssh on a "server" in fedora. To make the test more realisticly I created an apache server, with php, sqlite, ssh server, ftp server, and so on. I was able to exploit the ssh server. I am in a low privileged user and all I have is a shell. How can I continue forward with the attack since I am a regular user? maybe there is something I can upload to the ftp and come back with an escalated shell? Thank you Best regards Quote Link to comment Share on other sites More sharing options...
denartha Posted April 17, 2014 Share Posted April 17, 2014 For the most part you can only get root from an FTP server if the FTP server is running as root. If the FTP server is not running as root, then it can't grant you root privileges. Why dont you find all files that are owned by root and look for ways of exploiting them? Best of luck with it. I just finished a Pen Test where part of my job was a similar task, unpriv shell and my job was to get root on RHEL. Didn't get root in the timeframe I had. Sad panda. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 17, 2014 Share Posted April 17, 2014 some scripting will help. recursively find writable files and directorys. g0tmilk has some nice examples on priv escilation http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html?m=1 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 17, 2014 Share Posted April 17, 2014 some scripting will help. recursively find writable files and directorys. g0tmilk has some nice examples on priv escilation http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html?m=1 Quote Link to comment Share on other sites More sharing options...
cooper Posted April 17, 2014 Share Posted April 17, 2014 ps -faU root That yields your processes running as root. find / -user root -perm -4000 -exec ls -ldb {} \; And that one gives you all the root-owned setuid binaries. If you don't much care about it being a different user than root (can be useful when you get a shell for 'nobody' or some such) drop the "-user root" bit. uname -a Gives you your kernel version and a few more bits of info that you can consider useful for determining your attack vector. These 3 are basically the targets for you to play with. If you can't find an exploit in any of them, you're basically stuck on your current privileges. Can still be useful as a staging session towards other boxes within the network, but as it stands this is where you'll remain. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.