I found a number of things interesting when reading the following post:
http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
Too bad that nmap’s interactive mode was taken out, but there are a great number of other such methods, most notably VI’s shell mode.
But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:
1 2 |
|
Both look commented out, but in actuality, exactly as-is the #includedir line is interpreted and acted upon. So any file that you put in the /etc/sudoers.d directory counts as an extension of the /etc/sudoers file. Make a small edit to the default README file with a bunch of added # commented out lines copied directly from the sudo man page, with a
nobody ALL = NOPASSWD: ALL
or www-data plus a webshell makes for easy re-exploitation. Just an evil way to stay hidden on a ‘nix box…
Update:
nmap --script <(echo "os.execute('/bin/sh')")
‘nuf said… (thanks @bonsaiviking )