关联漏洞
描述
Privilege escaltion exploit script for Boardlight machine on HackTheBox. I had access as the Larissa user and ran this script from the /tmp directory; script has been adjusted accordingly.
介绍
# CVE-2022-37706 Exploit: Enlightenment v0.25.3 Privilege Escalation
## Description
This repository contains an exploit for **CVE-2022-37706**, a local privilege escalation vulnerability in **Enlightenment v0.25.3** and earlier. The vulnerability exists due to improper handling of pathnames starting with the `/dev/..` substring in the `enlightenment_sys` binary, which is SUID-root by default. By exploiting this behavior, attackers can execute arbitrary commands as root, resulting in full system control.
## Exploit Details
- **Vulnerable Binary**: `enlightenment_sys` (setuid-root)
- **CVE**: [CVE-2022-37706](https://nvd.nist.gov/vuln/detail/CVE-2022-37706)
- **Severity**: Critical
- **Tested On**: Ubuntu 22.10 (Kinetic Kudu)
### Exploit Workflow
1. The vulnerable binary is located, ensuring it is SUID and accessible.
2. Malicious directories and payloads are created to abuse the binary's improper pathname handling.
3. The exploit triggers the binary with crafted mount options, executing the payload as root.
4. Cleanup routines are included to remove evidence after exploitation.
## Usage
### Prerequisites
- Access to the vulnerable system as a low-privileged user.
- Vulnerable version of Enlightenment installed (`<0.25.3`).
### Exploit Execution
1. Clone or copy the exploit to the target system. Run from /tmp if using on the Boardlight HTB machine.
2. Save the exploit script as `exploit.sh` and make it executable:
```chmod +x exploit.sh```
4. Execute the script:
```./exploit.sh```
5. If successful, a root shell (#) will be opened.
Example Output
```CVE-2022-37706 Exploit Initiated```
```[*] Using known path to vulnerable binary```
```[+] Vulnerable SUID binary found at: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys```
```[*] Preparing exploit directories and files```
```[+] Exploit script created. Attempting to escalate privileges```
```[+] Welcome to the rabbit hole :)```
```root@target:~#```
文件快照
[4.0K] /data/pocs/62501f4dbf4ee435dd813c239cb9cd7df1087c17
├── [1.0K] exploit.sh
└── [1.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。