Collaborate Disseminate
My question is same as this one,
A php script cron job running as root, php script includes other php files those are editable, ps aux shows script running as root but if I do system(‘whoami > output.txt’); it shows apache
In Detailed s… Continue reading php Dropping Privileges
Playing a CTF, I am trying to gain access to level 3 (you have to gain access sequentially from level 1 to level 2 and so on…), and in the level 2 directory there’s this source code 2.c and along with it an executable called "2"… Continue reading Vulnerability in the source code, but can’t elevate do Privilege Escalation
I’ve been looking into rowhammer attacks and mitigations and there are two (what seem to be) mitigations that I’ve seen that are actually implemented in currently available hardware and software, but aren’t mentioned in any studies I’ve se… Continue reading Rowhammer mitigations in current hardware and software
During one CTF I’ve encountered an interesting scenario. You have read access to files in one directory through a Flask server, but the names must match a regex to be displayed. You only have append privileges of some user on the machine. … Continue reading Linux privilege escalation only with append permission
I am playing VulnHub box.
So, I have obtained the permissions of a Print Operators user who does not have SeLoadDriverPrivilege.
If the account has SeLoadDriverPrivilege, I can load the Capcom.sys driver, but is there any way to set up SeL… Continue reading How do I set up SeLoadDriverPrivilege for Print Operators users? [closed]
I’m trying to accurately score a report using CVSS as follows:
Privileges Required
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This Score increases as fewer priv… Continue reading What is the correct CVSS “Privileges Required” score for a privilege escalation when it’s trivial to get user privileges?
This vulnerability was reported to Zoom last December:
The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege…
I have a couple of questions regarding LPE techniques, and especially DLL hijacking (as there are at least 6 variants).
I was reading that DLL hijacking is an old vulnerability, but surely, this is still very much exploited in the wild (I… Continue reading Local privilege escalation – DLL Hijacking questions
This was covered in Linux PrivEsc, task 15, in this TryHackMe room.
I am having trouble understanding how this debugging mode is executing the commands in the PS4 variable, and why I must put /usr/local/bin/suid-env2 instead of another pat… Continue reading Abusing Shell Feature for Privilege Escalation
I´m learning about linux privilege escalation via a writable /etc/passwd file and was wondering how common that actualy is?
Are there any use cases where a regular user might have (or even needs) write access to the /etc/passwd file or is … Continue reading Legitimate use cases for writable etc/passwd files