Есть шелл под юзером appache www-data, есть какой-то метод поднятия прав до рута, для того кто с линукс на вы, куда в первую очередь смотреть? Или это слишком геморрно поднимать права с www-data, я как понял у нее даже пароля нет
-
XSS.stack #1 – первый литературный журнал от юзеров форума
www-data в root
- Автор темы Balora19
- Дата начала
It will depend a lot of the context, considering the configurations you find in that machine. In a lot of cases you can get root from www-data or whatever webserver user. The first things you can look is the Kernel version using
, from this you can perform a little research and see if there is some public privilege escalation exploit for the version on your target. You can also look for other ways, like searching for suid binaries and also looking for specific bugs on software that lead to root the most common acctually is pkexec (pwnkit exploit) and sudo (baron samedit and other vulns).
You should also look where you can write in the file system, and also if the partition is mounted with noexec, usually most of servers dont have good configs and you can upload/execute exploits at /dev/shm or even /tmp.
[edit] Since this topic is posted at Network Vulnerabilities, I think the best try without needing to exploit the kernel or another softwares, would be to find hardcoded credentials in the source of application or at webserver configurations.
Код:
uname -aYou should also look where you can write in the file system, and also if the partition is mounted with noexec, usually most of servers dont have good configs and you can upload/execute exploits at /dev/shm or even /tmp.
[edit] Since this topic is posted at Network Vulnerabilities, I think the best try without needing to exploit the kernel or another softwares, would be to find hardcoded credentials in the source of application or at webserver configurations.
Там действительно много векторов и нужно знать много тонкостей для ручной эксплуатации. Безболезненное решение для тех кто с GNU/Linux на "Вы" использовать скрипты, которые чекают на типовые мисконфигурации и узвимости CVE. Загружаешь в папку temp на хост, запускаешь и анализируешь вывод скрипта. Может быть будет что-то легкое.
GitHub - peass-ng/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - peass-ng/PEASS-ng
github.com
плюс к тому, что человек сверху написал, можешь LinEnum посмотреть, тоже делает примерно тоже самое, я и то, и другое юзаю.
Thats true, some of those scripts have exploits or checks that other dont have, So trying pes, PEAS-ng, LinEnum is a good idea with you lack options. Another cool think which works ate very specific contexts, is to look for scripts being runned by other users and check if your user can overwrite the script. Even that it seems impossible it happens sometimes, its a nice way to pivot into another user.