find / -perm -o w -type d 2>/dev/null : Find world-writeable folders
find / -perm -o x -type d 2>/dev/null : Find world-executable folders
We can also find programming languages and supported languages: find / -name perl*, find / -name python*, find / -name gcc* ...etc
find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user. This is important!
We can even make use of "grep", "locate", "sort"...etc
This one of the first step to do, when you get access to the machine just simpley run "sudo -l", which lists all the files that we can run as root without any password
Once you have any to run then navigate to https://gtfobins.github.io/ and search for is the one specified is a system program or else modify the file with "/bin/sh" and run that
Capabilities provide a subset of root privileges to a process or a binary
In order to look for them use getcap -r / 2>/dev/null
Find the binary and check that on GTFOBins where there's a function for Capabilities and try out those any of them will work!
In the example they provided a capability for vim and I used ./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' which is provided in the website itself and I got root!
Remember that this process is hit or trail, if it doesnt work move on!
In order to run any binary we need to specify the full path also, but if the address of file is specified in PATH variable then we can simpley run the binary by mentioning its name, like how we run some command line tools like ls, cd,....etc
In order to view the content in PATH variable we need to run echo $PATH and the outpur will be something like this usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
So whenever you use a tool without specifying path it searches in PATH and it runs!
We can even add new path to PATH variable by export PATH=<new-path>:$PATH
Also we need to find a writable paths so run find / -writable 2>/dev/null
In the example I found a location where there's a script when I run its showing that "thm" not found, also it can be run as ROOT
So I created a binary like echo "/bin/bash" > thm and gave executable rights then later added the path where thm located to PATH variable and now when I ran the binary then I got root!
In order to view the configuration of NFS run cat /etc/exports or also we can type showmount -e <target IP> on our machine to find the mountable shares.
In the output look for directories having no_root_squash, this means that the particular share is writable, hence we can do something to acquires root!
Now after getting some directories where we can play around lets navigate to our attacker machine and create a sample directory anywhere like /tmp...etc
Now we need to mount to the target machine by,
mount -o rw <targetIP>:<share-location> <directory path we created>, here rw means read, write privileges.
Now go to the folder we created and create a binary which gives us root on running.
Then go back to the target machine and we can view the binary we created in the place we mounted, now run that and get root privileges!(do note that giving executable rights is not sufficient, we also need to give share rights by chmod +s <binary>)