I will take the example of ‘motd’ to make it concrete and state further the broader context:
.
** motd **
.
As I understand from reading the docs, motd (Message Of The Day) is installed in most distro’s by default. Even in some distro’s it’s not activated, but adding a directory can be enough to make the service working (do correct me if I’m wrong).
In the boxes I came across up till now the ‘motd’ directory (or related files) were writable (and often owned by root). That’s why they jumped on my radar and I could catch them… but it also has me considering my current method isn’t waterproof.
.
.
The fundamental question I have is:
Let’s hypothetically consider you didn’t know about motd, how would you detect that it is running (or has run specific files) at boot time?
So apart from the answer “I just know it’s there”, what is your way to actually ‘see’, as in logs or commands that are showing on screen, that motd has run ‘files x in the directory y’ when booting or predict that those files will run?
.
.
.
** The broader context: **
.
‘motd’ is known, but there are a host of exotic modules or even user created that could potentially be vulnerable and lead to privesc and I’m looking for ways to detect those.
For this specific segment of privesc (writable/exploitable, but run by higher privileged users), the best thing I can come up with, is to find commands and ways to see that files are run by users of higher privileges and then compare that to writable/exploitable files.
.
.
Question then becomes: what are your ways to detect what files are run when booting up, and how do you identify the user-context in which those files are run?
Anything or any idea is welcome. Currently I’m not too concerned about what rights I would need to see that information. I’m just trying to open my mind to new perspectives.
I’m just noticing I have a known unknown, and I’m wondering if I can do more to close that hole.
Thanks in advance!
@gnothiseauton said:
So apart from the answer “I just know it’s there”, what is your way to actually ‘see’, as in logs or commands that are showing on screen, that motd has run ‘files x in the directory y’ when booting or predict that those files will run?
In this specific case, I think “knowing it is there” is the main technique.
Other people may chime in with different opinions but the main requirement for privesc is understanding how the OS works. Enum tools and scripts are helpful but they will only give you a small snapshot of the possibilities.
Question then becomes: what are your ways to detect what files are run when booting up, and how do you identify the user-context in which those files are run?
It can vary quite widely across different OS’s. Some Linux examples include checking /etc/init.d/ and /etc/rc.*
You can also try things like initctl list or service --status-all (both probably need sudo / su rights).
Failing that there are some excellent privesc guides on the internet - for example: Basic Linux Privilege Escalation - g0tmi1k
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
(notably most don’t mention MOTD)
Type your comment> @TazWake said:
@gnothiseauton said:
So apart from the answer “I just know it’s there”, what is your way to actually ‘see’, as in logs or commands that are showing on screen, that motd has run ‘files x in the directory y’ when booting or predict that those files will run?
In this specific case, I think “knowing it is there” is the main technique.
Other people may chime in with different opinions but the main requirement for privesc is understanding how the OS works. Enum tools and scripts are helpful but they will only give you a small snapshot of the possibilities.
Thanks for the input. I always appreciate your insights.
I totally agree. I’m mainly concerned here about 2 things I guess:
- systematizing what I know, so that I don’t miss opportunities I actually know, but missed due to reading over it. This still requires knowing the OS, but it adds the layer of partly scripting your knowledge in a way that it becomes hard to miss things in the department of ‘known knowledge’.
- the other thing is extending what I know. Any clue that a file is run in certain privileges, might lead then to understanding the mechanism behind it and learning the conditions for exploitation and how to spot them.
Question then becomes: what are your ways to detect what files are run when booting up, and how do you identify the user-context in which those files are run?
It can vary quite widely across different OS’s. Some Linux examples include checking /etc/init.d/ and /etc/rc.*
You can also try things like initctl list or service --status-all (both probably need sudo / su rights).
For those interested, here’s a part of my notes:
Upstart
System V
- "service --status-all”
- for init scripts:
“ls /etc/init.d”
- for runlevel symlinks
“ls /etc/rc*.d/”
System D
- “systemctl list-unit-files --type=service”
- “ls /lib/systemd/system/.service /etc/systemd/system/.service”
Failing that there are some excellent privesc guides on the internet - for example: Basic Linux Privilege Escalation - g0tmi1k
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
(notably most don’t mention MOTD)
Thanks man.