Privilege Escalation - Stuck as balls

whatever · 03-21-2015, 11:14 PM

A few nights ago, I got a shell on a server with 144 websites hosted on it and I spent about 3 hours trying to get root. I tried mempodipper, half-nelson, crontab method, checked for vulnerable running services, the exploit suggester, everything. Either I'm missing something, I'm retarded, or getting root on this thing is hard as fuck.

uname -a output:

Code:
Linux [censored].[censored].com 2.6.32-47-generic #109-Ubuntu SMP Tue May 7 02:02:22 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

cat /proc/version output:

Code:
Linux version 2.6.32-47-generic (buildd@allspice) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #109-Ubuntu SMP Tue May 7 02:02:22 UTC 2013

cat /etc/issue output:

Code:
Ubuntu 12.04.5 LTS \n \l

Are there any more commands I should run and post the output that would help?

I would include the output of cat /etc/passwd but it's too long so I can't put it in the thread.

The closest I got to getting root was when I ran the sudo 1.8.3p1 local root exploit, the only error that caused it to fail was "no askpass program provided, try setting SUDO_ASKPASS"

EDIT: Just did a recount and it actually hosts about 250 websites on it.

Dismas · 03-22-2015, 11:45 AM

@"Reiko" will know.

Lynux · 03-22-2015, 02:20 PM

This may work for you http://www.exploit-db.com/exploits/18411/

whatever · 03-22-2015, 03:28 PM

(03-22-2015, 02:20 PM)Lynux Wrote: This may work for you http://www.exploit-db.com/exploits/18411/

Nothing. It says in the OP that I've already tried mempodipper, but thanks.

Lynux · 03-22-2015, 04:41 PM

(03-22-2015, 03:28 PM)whatever Wrote: Nothing. It says in the OP that I've already tried mempodipper, but thanks.

Ahh no problem I just skimed over it and saw the kernel version, shame that it doesn't work, have you thought about shellcode?

whatever · 03-22-2015, 06:40 PM

(03-22-2015, 04:41 PM)Lynux Wrote: Ahh no problem I just skimed over it and saw the kernel version, shame that it doesn't work, have you thought about shellcode?

I'm not sure what you mean exactly when you ask if I have thought about shellcode.

Here's an output of ls -al /etc/cron*

Code:
$ ls -al /etc/cron*

ls -al /etc/cron*

-rw-r--r-- 1 root root  722 Jun 19  2012 /etc/crontab

/etc/cron.d:

total 36

drwxr-xr-x   2 root root  4096 Sep 29 12:35 .

drwxr-xr-x 114 root root 12288 Mar 18 14:37 ..

-rw-r--r--   1 root root   102 Apr 15  2010 .placeholder

-rw-r--r--   1 root root   179 Mar 29  2010 amavisd-new

-rw-r--r--   1 root root   254 Jan  8  2012 awstats

-rw-r--r--   1 root root   508 Jul  4  2013 php5

-rw-r--r--   1 root root   544 Dec 12  2013 php5.dpkg-dist

/etc/cron.daily:

total 108

drwxr-xr-x   2 root root  4096 Sep 29 12:35 .

drwxr-xr-x 114 root root 12288 Mar 18 14:37 ..

-rw-r--r--   1 root root   102 Apr 15  2010 .placeholder

-rwxr-xr-x   1 root root   206 Jul 30  2012 amavisd-new

-rwxr-xr-x   1 root root   633 Nov 18  2010 apache2

-rwxr-xr-x   1 root root 15914 Jul 13  2011 apt

-rwxr-xr-x   1 root root    77 Jun 22  2009 apt-show-versions

-rwxr-xr-x   1 root root   314 Apr  9  2010 aptitude

-rwxr-xr-x   1 root root   502 Nov 10  2009 bsdmainutils

-rwxr-xr-x   1 root root  2032 Jun  4  2014 chkrootkit

-rwxr-xr-x   1 root root   256 Apr 15  2010 dpkg

-rwxr-xr-x   1 root root   372 Oct  4  2011 logrotate

-rwxr-xr-x   1 root root  1327 Oct  5  2010 man-db

-rwxr-xr-x   1 root root   606 Mar 24  2010 mlocate

-rwxr-xr-x   1 root root  1154 Apr 19  2011 ntp

-rwxr-xr-x   1 root root   249 Sep 12  2012 passwd

-rwxr-xr-x   1 root root  2417 Jul  1  2011 popularity-contest

-rwxr-xr-x   1 root root   345 Jan 18  2010 quota

-rwxr-xr-x   1 root root   982 Nov 14  2011 rkhunter

-rwxr-xr-x   1 root root  1882 Mar 29  2010 spamassassin

-rwxr-xr-x   1 root root  2947 Jun 19  2012 standard

-rwxr-xr-x   1 root root  1451 May 17  2010 webalizer

/etc/cron.hourly:

total 20

drwxr-xr-x   2 root root  4096 Sep 29 12:28 .

drwxr-xr-x 114 root root 12288 Mar 18 14:37 ..

-rw-r--r--   1 root root   102 Apr 15  2010 .placeholder

/etc/cron.monthly:

total 20

drwxr-xr-x   2 root root  4096 Sep 29 12:28 .

drwxr-xr-x 114 root root 12288 Mar 18 14:37 ..

-rw-r--r--   1 root root   102 Apr 15  2010 .placeholder

/etc/cron.weekly:

total 28

drwxr-xr-x   2 root root  4096 Sep 29 12:34 .

drwxr-xr-x 114 root root 12288 Mar 18 14:37 ..

-rw-r--r--   1 root root   102 Apr 15  2010 .placeholder

-rwxr-xr-x   1 root root   887 Oct  5  2010 man-db

-rwxr-xr-x   1 root root  1682 Nov 14  2011 rkhunter

Misha- · 03-24-2015, 10:07 PM

(03-21-2015, 11:14 PM)whatever Wrote: The closest I got to getting root was when I ran the sudo 1.8.3p1 local root exploit, the only error that caused it to fail was "no askpass program provided, try setting SUDO_ASKPASS"

Not sure which exploit you're talking about but uh.. did you try setting SUDO_ASKPASS?

whatever · 03-25-2015, 03:41 AM

(03-24-2015, 10:07 PM)Misha- Wrote: Not sure which exploit you're talking about but uh.. did you try setting SUDO_ASKPASS?

Yeah, I set it as an environment variable because I assumed that's what it was talking about and it threw me the same error.

Satan · 03-25-2015, 04:07 AM

(03-25-2015, 03:41 AM)whatever Wrote: Yeah, I set it as an environment variable because I assumed that's what it was talking about and it threw me the same error.

All the sudo_askpass stuff I've found is related to Apple.

Maybe this will help you?
Its apparently how to set it up.

[Image: 9f354b1d17cf0741c3f6875fe80bf2ce.jpg]

[Image: 9f354b1d17cf0741c3f6875fe80bf2ce.jpg]

Reiko · 03-25-2015, 07:21 AM

SUDO_ASKPASS is only required when you do not have a TTY. Try getting a TTY.

EDIT: I just read the exploit in question, and it should be setting askpass to its own script anyway. I'm lost unless you want to PM and let me have a look around.
Also consider this requires a pretty specific setup (sudo 1.8.0-1.8.3 as well as glibc 2.14.9)