search

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
15.73k stars 3.05k forks source link

[Question about result] #106

Closed Darkcast closed 3 years ago

Darkcast commented 3 years ago

Hi,

I received this message but it rather vague and I was wondering if someone could point me in the right direction.

-rwsr-xr-x 1 root shadow 11K Jun 11 2018 /sbin/unix2_chkpwd --- It looks like /sbin/unix2_chkpwd is executing usleep and you can impersonate it (strings line: usleep)

thank you for all your hard work.

carlospolop commented 3 years ago

Hi @Darkcast,

That's one of the latest features I introduced in linpeas. I call it: false zero days finder :) Basically linpeas is launching the strings command to each SUID binary that it doesn't recognice. Then it search inside the file system if there is any command called like the first word of each line of the strings output. This is actually very useful to try to see if a SUID binary is executing files without specifying a path. So, if you are lucky enough, you will find a quick win to escalate privileges. Anyway, note that thee name of a command can be in a binary as a string for a lot of reasons, so not every finding is a zero day.

Darkcast commented 3 years ago

Thank you carlos for the explanation. it would be cool if it actually give you some article like the script does with onther findings.

carlospolop commented 3 years ago

You are completely right, I'm adding a link to this issue inside the output. Also, for more information about how to exploit the possible missconfiguration detected by this feature read: https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-command-suid-binary-without-command-path

ChenYun4164 commented 3 years ago

thx a lot this tool. question is what is /sudo$ i am not found it in either Google or exploit-db image

carlospolop commented 3 years ago

Hi mate, that means you should check for exploits of the current sudo version. I'm going to modify the script to be more specific

null-hyp0thesis commented 3 months ago

You are completely right, I'm adding a link to this issue inside the output. Also, for more information about how to exploit the possible missconfiguration detected by this feature read: https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-command-suid-binary-without-command-path

This link has moved to https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-command-suid-binary-without-command-path