POC详情: 62501f4dbf4ee435dd813c239cb9cd7df1087c17

来源
关联漏洞
标题: Enlightenment 权限许可和访问控制问题漏洞 (CVE-2022-37706)
描述:Enlightenment是美国Debian社区的一种 X11 的高级窗口管理器。 Enlightenment 存在权限许可和访问控制问题漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
描述
Privilege escaltion exploit script for Boardlight machine on HackTheBox. I had access as the Larissa user and ran this script from the /tmp directory; script has been adjusted accordingly.
介绍
# CVE-2022-37706 Exploit: Enlightenment v0.25.3 Privilege Escalation

## Description
This repository contains an exploit for **CVE-2022-37706**, a local privilege escalation vulnerability in **Enlightenment v0.25.3** and earlier. The vulnerability exists due to improper handling of pathnames starting with the `/dev/..` substring in the `enlightenment_sys` binary, which is SUID-root by default. By exploiting this behavior, attackers can execute arbitrary commands as root, resulting in full system control.

## Exploit Details
- **Vulnerable Binary**: `enlightenment_sys` (setuid-root)
- **CVE**: [CVE-2022-37706](https://nvd.nist.gov/vuln/detail/CVE-2022-37706)
- **Severity**: Critical
- **Tested On**: Ubuntu 22.10 (Kinetic Kudu)

### Exploit Workflow
1. The vulnerable binary is located, ensuring it is SUID and accessible.
2. Malicious directories and payloads are created to abuse the binary's improper pathname handling.
3. The exploit triggers the binary with crafted mount options, executing the payload as root.
4. Cleanup routines are included to remove evidence after exploitation.

## Usage
### Prerequisites
- Access to the vulnerable system as a low-privileged user.
- Vulnerable version of Enlightenment installed (`<0.25.3`).

### Exploit Execution
1. Clone or copy the exploit to the target system. Run from /tmp if using on the Boardlight HTB machine.
2. Save the exploit script as `exploit.sh` and make it executable:
```chmod +x exploit.sh```
   
4. Execute the script:
   ```./exploit.sh```
5. If successful, a root shell (#) will be opened.

Example Output
```CVE-2022-37706 Exploit Initiated```
```[*] Using known path to vulnerable binary```
```[+] Vulnerable SUID binary found at: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys```
```[*] Preparing exploit directories and files```
```[+] Exploit script created. Attempting to escalate privileges```
```[+] Welcome to the rabbit hole :)```
```root@target:~#```
文件快照

[4.0K] /data/pocs/62501f4dbf4ee435dd813c239cb9cd7df1087c17 ├── [1.0K] exploit.sh └── [1.9K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。