Monitor Nix Processes for Privilege Escalation Opportunities


When you get on a box as a low privilege user, you want to know if there are any processes that run you can take advantage of. A good example is a cronjob or other automation scripts that do x every y for z. The situations, when not configured correctly can lead to SETUID files being created, can lead to read/writes outside of current privilege level and many platform/program specific issues, just see GTFObins for just how many system binaries you could abuse when presented with the opportunity to do so.GTFOBins
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security

Looking for Processes

I got this from an ippsec video, can’t remember which one but this was way nicer than how I used to do it, so I want to share it here.

In fact, this technique is so useful it’s helped me with a few posts including this one…Day 67: Tar Cron 2 Root — Abusing Wildcards for Tar Argument Injection in root cronjob (Nix)