├── README.md └── privesc-setup.sh /README.md: -------------------------------------------------------------------------------- 1 | # privesc-setup 2 | 3 | A Bash script which adds a few new privilege escalation methods to the [Local Privilege Escalation Workshop](https://github.com/sagishahar/lpeworkshop). 4 | -------------------------------------------------------------------------------- /privesc-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $(id -u) != 0 ]]; then 4 | echo "Please run this script as root." 5 | exit 1 6 | fi 7 | 8 | echo "Installing MySQL Server without a root password." 9 | DEBIAN_FRONTEND=noninteractive apt-get -y install mysql-server &> /dev/null 10 | echo "Reconfiguring MySQL Server to run as root." 11 | sed -i -r -e 's/user\s+= mysql/user = root/' /etc/mysql/my.cnf &> /dev/null 12 | /etc/init.d/mysql restart &> /dev/null 13 | 14 | echo "Making /etc/shadow world-readable/writable." 15 | chmod o+rw /etc/shadow &> /dev/null 16 | 17 | echo "Making /etc/passwd world-writable." 18 | chmod o+w /etc/passwd &> /dev/null 19 | 20 | echo "Adding LD_LIBRARY_PATH to /etc/sudoers." 21 | sed -i -r -e 's/env_keep\+=LD_PRELOAD/env_keep+=LD_PRELOAD\nDefaults env_keep+=LD_LIBRARY_PATH/' /etc/sudoers &> /dev/null 22 | 23 | echo "Changing OpenVPN credentials." 24 | sed -i -r -e 's/user/root/' /etc/openvpn/auth.txt &> /dev/null 25 | sed -i -r -e 's/password321/password123/' /etc/openvpn/auth.txt &> /dev/null 26 | 27 | echo "Creating weak root SSH keys." 28 | mkdir /root/.ssh &> /dev/null 29 | mkdir /.ssh &> /dev/null 30 | echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcgh/pZzNx2bfwxn35AANJir0V8p/CPSYlpS17IkdYdnf8Y2aAtMfcWi/ZKzxC4Z++8PgJDV/g3Q+qdonZYmspI/xDLEnti1FOTQmhNIZZN5SkTGWnihKZPFic7QsNyx7PA2EFmfSSWO0a72n52aYpuTjRbhJaVO9TUtwQdGvpGBYyBCg4eHFQV10W1iuSdLgaIvlMkfpu3nvGggQKdFz/yy5nJbOBHNuj5O8N7ArdmEE3scN5X0bkmuOdWsOpKOHKxQA2ZRONQJNKyh9TCW6b6lT92X1gKRclGnseDL9CQUqkURNnfpnSDUm1CTBbFQP+IWP6JqmQu4xpVPl0Kr2R root@debian" > /root/.ssh/authorized_keys 31 | echo "-----BEGIN RSA PRIVATE KEY----- 32 | MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm 33 | gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl 34 | p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo 35 | OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD 36 | eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET 37 | Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2 38 | NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ 39 | YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+ 40 | 5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el 41 | WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7 42 | VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7 43 | 6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW 44 | 1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K 45 | 824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6 46 | Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc 47 | U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1 48 | Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi 49 | SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV 50 | d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im 51 | jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa 52 | 871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok 53 | X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4 54 | CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN 55 | Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4 56 | LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw== 57 | -----END RSA PRIVATE KEY-----" > /.ssh/root_key 58 | chmod +r /.ssh/root_key &> /dev/null 59 | 60 | echo "" 61 | echo "Done." 62 | --------------------------------------------------------------------------------