Collaborate Disseminate
This was covered in Linux PrivEsc, task 15, in this TryHackMe room.
I am having trouble understanding how this debugging mode is executing the commands in the PS4 variable, and why I must put /usr/local/bin/suid-env2 instead of another pat… Continue reading Abusing Shell Feature for Privilege Escalation
I´m learning about linux privilege escalation via a writable /etc/passwd file and was wondering how common that actualy is?
Are there any use cases where a regular user might have (or even needs) write access to the /etc/passwd file or is … Continue reading Legitimate use cases for writable etc/passwd files
According to wikipedia, Linux’s security compared to Windows is generally due to "the malware’s lack of root access."
Why doesn’t Windows just fix this?
Continue reading What prevents Windows from being as secure as Linux?
Unquoted service paths might be used as a privilege escalation vector after an attacker gains access to a Windows host.
Given Hector’s answer in the following question:
"Windows Unquoted Search" Fix?
I understand some software ma… Continue reading Is there any way to disable/not allow unquoted service paths in Windows?
We are trying to convince folks in our company to grant developers full privileges to all services in "dev" account (current policy does not allow developers to create anything in our AWS account, because "security").
… Continue reading Can I escalate my privileges if I have read-write access to IAM service in AWS?
We have some systems where users are using Docker in userspace to run development environments. These containers sometimes leave files and directories behind that cannot be deleted directly by the users because they were created by other u… Continue reading Security implications of providing lxc-utils to regular users
It’s a privilege escalation vulnerability:
Linux users on Tuesday got a major dose of bad news — a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running most major distributions of the open source operating system.
Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command…
Continue reading Twelve-Year-Old Linux Vulnerability Discovered and Patched
I succesfully tried to exploit an old version of Apache. A shell is spawned with user www-data (id=33), but I can’t "ls" or "cat" anything in /tmp. I can ls the contentns of /bin instead, for example.
I even added a fil… Continue reading Why can’t I access /tmp after my execve(/bin/sh) exploit?
Considering that a RCE vulnerability has been recently found in the log4j library, a library used in a lot more applications than I thought. The following question comes to my mind.
If an attacker successfully exploits log4shell, does the … Continue reading At which OS privilege level log4j usually runs?
I have a CTF machine. I can see the port 8009 and 80 open. From that I found pretty quickly the Ghostcat exploit.
I then listed the folder of the machine and I got :
then I followed this article
I created the file 48143.py and pasted the … Continue reading Ghostcat exploit, how to use it?