Skip to content

Gain Root

Jump to bottom
Irtsa edited this page Feb 22, 2025 · 5 revisions

Will attempt to gain a root shell on a machine if given a shell object on the machine. Primarily works on NPCs due to their low security on users and primarily exploits the fact users have read permissions to the /etc/passwd file and write permissions to a user in the /home directory.


Source Code

gainRoot = function(shell)
    crypto = include_lib("/lib/crypto.so")
    if not crypto then
        aptclient = include_lib("aptclient.so")
        aptclient.update
        cryptoinstall = aptclient.install("crypto.so")
        if not cryptoinstall then return null
        crypto = include_lib("/lib/crypto.so")
    end if

    victimComputer = shell.host_computer
    passwordFile = victimComputer.File("/etc/passwd")

    if not passwordFile then return null
    if not passwordFile.has_permission("r") then return null

    buildPath = ""
    for folder in victimComputer.File("/home").get_folders
        if folder.has_permission("w") then
            buildPath = folder.path
            break
        end if
    end for
    if not buildPath then return null
    
    if passwordFile.get_content.hasIndex("root") then password = crypto.decipher(passwordFile.get_content.split("\n")[0].split(":")[1]) else return null
    

    victimComputer.touch(buildPath, "i.src")
    victimComputer.touch(buildPath, "r.src")
    victimComputer.File(buildPath + "/i.src").set_content("aptclient = include_lib(""/lib/aptclient.so"")" + char(10) + "aptclient.update" + char(10) + "install_service(service)" + char(10) + "service = include_lib(""/lib/libssh.so"")" + char(10) + "start_service(service)")
    victimComputer.File(buildPath + "/r.src").set_content("get_shell(""root"",""" + password + """).launch(""" + buildPath + "/i" + """)")

    buildA = shell.build(buildPath + "/i.src", buildPath)
    buildB = shell.build(buildPath + "/r.src", buildPath)
    if buildA or buildB then return null

    shell.launch(buildPath + "/r")
    connection = shell.connect_service(victimComputer.local_ip, 22, "root", password)
    if not typeof(connection) == "shell" then return null

    for file in ["/i.src", "/r.src", "/i", "/r"]
        victimComputer.File(buildPath + file).delete
    end for

    return connection
end function
Clone this wiki locally