Skip to content

Instantly share code, notes, and snippets.

@YSaxon

YSaxon/privesc Shell.md

Created July 23, 2024 20:51
Show Gist options
  • Save YSaxon/97eca16ef008a1d3b9211e95c5b7acc8 to your computer and use it in GitHub Desktop.
Save YSaxon/97eca16ef008a1d3b9211e95c5b7acc8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
privesc Shell.md

Initial setup (paths are assuming an Android target but you can obviously modify it)

cat << EOF > /data/local/tmp/shell1.sh
echo echo START >> /data/local/tmp/shell/infile
tail -n 1 -f /data/local/tmp/shell/infile | sh -i >> /data/local/tmp/shell/outfile 2>>/data/local/tmp/shell/outfile
EOF

chmod +x /data/local/tmp/shell1.sh

mkdir /data/local/tmp/shell
touch /data/local/tmp/shell/infile
touch /data/local/tmp/shell/outfile

Now with your privesc, run

sh /data/local/tmp/shell1.sh

And in another window, establish some kind of shell, and run

cd /data/local/tmp/shell
tail -f -n 1 outfile & cat >> infile
  • You can wrap this in https://github.com/hanslub42/rlwrap to get a fully functional shell experience
    • Something like rlwrap -pcyan -H privescshell.log adb shell 'tail -f -n 1 /data/local/tmp/shell/outfile & cat >> /data/local/tmp/shell/infile'

If you end up with a duplicate shell by mistake, run the following

mkdir /data/local/tmp/dedup$(date +%Y%m%d_%H%M%S) 2>/dev/null || exit

And all but one should exit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment