search
Read BlogpostsLet's Connect

linuxPelican

udo gcore to dump root process memory

hashtag
Summary

  • Identified Zookeeper Exhibitor dashboard on port 8080, known to be vulnerable to remote command execution.

  • Used public exploit to gain shell access as charles.

  • Privilege escalation achieved via sudo gcore β€” dumped memory of a root process and recovered the root password.

hashtag
🧡 Let's Unpack

hashtag
πŸ”Ž Enumeration

Nmap Full TCP Scan

nmap -p- -T5 192.168.167.98 -vv
# Extracted ports:
22,139,445,631,2181,2222,8080,8081,44505

Nmap Service Enumeration

sudo nmap -A -sC -sN -oN nmapFull -p 22,139,445,631,2181,2222,8080,8081,44505 192.168.167.98

  • Two SSH ports: 22 and 2222 (both OpenSSH 7.9p1)

  • Samba services on 139 and 445

  • CUPS on 631 with PUT method allowed

  • Zookeeper Exhibitor interface discovered on port 8080

  • Port 8081 redirects to 8080/exhibitor/v1/ui/index.html

  • Port 44505 was open|filtered (tcpwrapped)

hashtag
πŸšͺ Initial Foothold

Exploit Used: Exhibitor-RCEarrow-up-right

Upgraded to a PTY shell:

hashtag
πŸ” Privilege Escalation

Checked sudo permissions:

Identified an interesting root-owned process:

Used gcore to dump memory of the root process:

Switched to root:

hashtag
☠️ Gotcha!

Zookeeper Exhibitor UIs exposed without auth and gcore sudo misconfigs are a root access recipe waiting to be abused.

PreviousClamAVNextPayday

Last updated