Php shell escalation

[fsped]

Sorry if wrong section. Say for example I have php shell on subdomain.example.com Is it possible to retrieve files from subomain.example.com? How would someone do this? Get root access to local machine? Thanks

 

[c0re]

What is the Linux kernel version?

 

[DanteXDark]

Sorry if wrong section. Say for example I have php shell on subdomain.example.com Is it possible to retrieve files from subomain.example.com? How would someone do this? Get root access to local machine? Thanks

Sorry if wrong section. Say for example I have php shell on subdomain.example.com Is it possible to retrieve files from subomain.example.com? How would someone do this? Get root access to local machine? Thanks

Steps you can try to get ROOT:
1. Check Kernel version (if it looks old or kind of familiar to any well known exploit like "dirty cow" then you know what to do next)
2. check SUID binaries with (find / -perm -u=s -type f 2>/dev/null) this command, and if you found some 3rd party binaries (https://gtfobins.github.io/) this website will help you to exploit them
3. check cronjobs (cat /etc/crontab), if you know what are cronjobs and how they work then you know what to do next.
4. Download linpeas form github (it is used in ctf's), this tool is very powerfull and may reveal lot of info (in detail) like SUID binaries,
open passwords, config files, writable directories/binaries, and many more, but i think this tool makes lot of noise on machine
and may crash shell if you are using a unstable shell like netcat shell or webshell "maybe"
5. try to get into the low priv users other than www-data user because they can use sudo and you can simply check which binaries you
can run as sudo by typing (sudo -l) command and if you found something juicy again use (https://gtfobins.github.io/) this website.
6. look at the locally open ports by typing (ss -tan) command or you can upload nmap binary to the machine, look at the ports understand them
and try to exploit them, if you are doing this in wild on any live website, dont forward any port port to you attacking machine (it will be very
noise "maybe?")
7. check capabilities with (getcap -r / 2>/dev/null ) if you found something juicy use (https://gtfobins.github.io/)
8. If you found some binaries running in background with high privs you can try to reverse them, if it is calling/using any other binary
like cp to copy files from 1 dir to another dir, or any other, but not using the full path to call it, then you can spoof path (google path spoofing in linux for privsec)

I dont remember some methods but i think these are the most common (in CTF ) i dont have any reallife experience but i think priv sec in real life is easy "maybe". and if you are doing thing in wild then clean you logs there are tools to clean logs you you can search.

THANKYOU HAPPY HACKING