All the unix binaries run as per the locations / directory structure mentioned in the PATH environment variable(from left to right). However if we create our own file with the same name and append the file’s local path to this PATH variable then we can make the shell execute our program instead of the intended one !

Let’s try to understand with example,

I am logged in as sheetal user and create a c file in the /usr/bin directory

Compile it and try to run from another directory as kali user.


There are various ways in which privilege escalation can be achieved in linux, I am solving the challenges from tryhackme room and will write about each one from the below list.

1. Service Exploits

2. Weak File Permissions

3. Sudo — shell escape sequences

4. Cron jobs

5. suid / sgid

6. Password and Keys

7. NFS

8. Kernel Exploits

9. Privilage Escalation Scripts

1.Service Exploits

For this scenario we are assuming that server is running MySQL service with root privileges.

What is a service ?

A software functionality offered by a server.

- ex. Service like mysql that offers retrieval and…


Sudo reminds me of the naayak movie dialogue,“tumhe ek din ke liye mukhyamantri banaaya jaa sakta hai, kya kar loge”.

The hero is allowed to be chief minister for one day and he does all the damage/reform he can.

Coming back to technical world again, every user has a security context, which defines boundaries for that user, beyond which, he/she cannot execute. “ sudo “ allows a user to go beyond those boundaries and execute commands with the privileges of another user, by default root. Such privilage need to be be allowed from the /etc/sudoers file.

If a normal user…


Reconnaissance

As always, started with nmap scan

nmap output shows two ports are open, 22 and 80. To enumerate further I installed, wapaalyzer which is a tool to gather technical details of a website.

To install this on firefox

Go go about:debugging#/runtime/this-firefoxClick ‘Load Temporary Add-on’Select src/drivers/webextension/manifest.json from the folder where waplyzer is downloaded.

When installed it shows below message,


Initially, buffer overflow felt like a daunting topic to me ! There is lots of stuff available on the internet. If you check it all at once, it gets overwhelming and you are more likely to give up !

So I decided to grab one good article , and read it until things started making sense, then found myself few steps closer towards solving it independently. I followed this article and the buffer overflow series by cyber mentor.

I have written this walkthrough for buffer overflow5 from tryhackme series. Uptil now I have solved the 6 bof problems from tryhackme.

Buffer Overflow5 from tryhackme BOF Series


Mind Opener

What are war files ? If an application allows us to upload such a file, then can we create such a file and obtain a reverse shell through it ?

Reconnaissance

Nmap scan reveals that it’s an apache tomcat web server.

Tomcat is a web server for hosting java files.

Login to the application and click on server status, it asks for authentication. The default credential “admin admin” works,


Reconnaissance

The nmap scan reveals that the server is running IIS httpd 6.0 and few http methods are allowed.

Enumeration

On visiting the site, it says under construction,


Mind Opener

What are the system methods in php, in how many ways can we use those system methods ? Can we modify the publicly available exploits to get code execution ?

If a CMS allows you to add code, can you add a code that will provide you a shell ?

Reconnaissance

nmap -sC -sV -p- 10.10.10.9

The nmap scan reveals many things like,

Open ports => 80, 135,49154 and accessible files(changelog.txt, robots.txt etc.)

Enumeration

Use droopescan for enumeration,

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt

./droopescan scan -u 10.10.10.9


Mind Opener

The http protocol allows us to use methods like GET , POST, PUT, DELETE to send/delete data, however are there any methods with which we can edit, copy or manage files on a remote server ?

If such protocol/extension allows you to copy or move files, can you abuse this functionality to compromise a server ?

As always, begin with the nmap scan,

From the nmap scan, three things are important

  1. Port 80 is open and running outdated Microsoft IIS server.

2. The webdav(extension of http protocol) is being used.

3. Multiple HTTP methods are allowed.

What is webdav ?

Sheetal Patil

A proud mother, traveller. Love to read , understand and write about cyber security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store