Skip to content

Gain Root

Jump to bottom
Irtsa edited this page Sep 26, 2024 · 5 revisions

Will attempt to gain a root shell on a machine if given a shell object on the machine. Primarily works on NPCs due to their low security on users and primarily exploits the fact users have read permissions to the /etc/passwd file and write permissions to a user in the /home directory.


Source Code

gainRoot = function(shell)
    crypto = include_lib("/lib/crypto.so")
    if not crypto then
        aptclient = include_lib("aptclient.so")
        aptclient.update
        cryptoinstall = aptclient.install("crypto.so")
        if not cryptoinstall then return null
        crypto = include_lib("/lib/crypto.so")
    end if

    victimComputer = shell.host_computer
    passwordFile = victimComputer.File("/etc/passwd")

    if not passwordFile then return null
    if not passwordFile.has_permission("r") then return null

    buildPath = ""
    for folder in victimComputer.File("/home").get_folders
        if folder.has_permission("w") then
            buildPath = folder.path
            break
        end if
    end for
    if not buildPath then return null

    password = crypto.decipher(passwordFile.get_content.split("\n")[0].split(":")[1])
    
    Files = ["/i.src", "/i", "/r.src", "/r"]
    for file in Files
        if victimComputer.File(buildPath + file) then victimComputer.File(buildPath + file).delete
    end for
    victimComputer.touch(buildPath, "i.src")
    victimComputer.touch(buildPath, "r.src")

    injectCodeInstall = "aptclient = include_lib(""/lib/aptclient.so"")" + char(10) + "aptclient.update" + char(10) + "aptclient.install(""libssh.so"")" + char(10) + "service = include_lib(""/lib/libssh.so"")" + char(10) + "install_service(service)" + char(10) + "service = include_lib(""/lib/libssh.so"")" + char(10) + "start_service(service)"
    injectCodeRun = "get_shell(""root"",""" + password + """).launch(""" + buildPath + "/i" + """)"

    sourceFileI = victimComputer.File(buildPath + "/i.src")
    sourceFileR = victimComputer.File(buildPath + "/r.src")
    sourceFileI.set_content(injectCodeInstall)
    sourceFileR.set_content(injectCodeRun)
    buildA = shell.build(buildPath + "/i.src", buildPath)
    buildB = shell.build(buildPath + "/r.src", buildPath)
    if buildA or buildB then return null

    binaryFileI = victimComputer.File(buildPath + "/i")
    binaryFileR = victimComputer.File(buildPath + "/r")

    shell.launch(buildPath + "/r")
    connection = shell.connect_service(victimComputer.local_ip, 22, "root", password)
    if not typeof(connection) == "shell" then return null

    sourceFileI.delete
    sourceFileR.delete
    binaryFileI.delete
    binaryFileR.delete
    return connection
end function

Clone this wiki locally