So, I’ve been working on the metasploit framework beginner lab in academy, and I’ve gotten stuck at the last question.
“The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.”
I think I found the correct exploit, because the resources I found documenting it said you could check if a machine is vulnerable based off the error it gives you, and the machine did throw that error.
But I’m confused why it’s not working if the machine should be vulnerable, and I haven’t found anything that shows me what I’m doing wrong.
Here’s the error it throws when I run the exploit btw:
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: x86
[] Started reverse TCP handler on 10.10.14.145:4444
[] Running automatic check (“set AutoCheck false” to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[] Writing ‘/tmp/Dn66uboX.py’ (763 bytes) …
[-] Exploit failed: NoMethodError undefined method `size’ for nil:NilClass
Does anyone one here know how to fix the error here? Thanks for the help too :]
I used a native exploit module in MSF and got root (no need to import/load an external module into msf) . I already had an established session from the initial access exploit on port 80, then used my session as the parameter for the ‘sudo_baron_samedit’. Is this any different than what you did?
I used the exploit linux/http/elfinder_archive_cmd_injection to gain a shell to the machine, though I don’t have root access with it, by “a native exploit” do you mean there’s another exploit I missed that isn’t the elfinder or the sudo one? Thanks for the help btw :]
You are correct with the first exploit. You will use an additional exploit that leverages the session you created with the elfinder exploit. Hopes that helps!
Sorry to bring up the same problem again, but I tried doing what you said here, and I still get the error “Exploit completed, but no session was created”.
For context, I had a session already, and then I backgrounded it to load run the sudo_baron_samedit, after that, I used “set session 1” since my only session was that one, the I used “run”.
From what I understand, that sounds like what you did? I’m probably just missing something super obvious as these things usually go, do you see anything I missed here?
Hi, I just re-visited the module to see what I did. I did have to re-adjust my settings like so:
Once you establish the first meterpreter session with elfinder exploit, background it, the use the sudo_baron_samedeit exploit like we already discussed, but once you use this exploit you may need to adjust your LHOST to be the vpn interface (I always just set LHOST to ‘tun0’) and LPORT—by default it uses 4444, which your first session might already be using if you didn’t change it.
So just now I tried it again in pwnbox and for the sudo_baron exploit, I used LHOST = tun0, LPORT = 4445, and set session to 1, which my initial exploit is currently using.
It finally worked!! It looks like I just never thought to change the port. I don’t think I would’ve figured that out for a looooooong time without your help.
Thank you so much, especially for taking the time to do the module a second time.
Bruh my Meterpreter shell was x86 on a x64 target machine. This affects which vulnerabilities are checked by the suggester module. I guess it assumed the target is x86 if the meterpreter is x86
I was having such trouble because the right CVE wasn’t being suggested. I didn’t notice until I searched for exploits with the Sudo version manually.
So, make sure you’re using the right Meterpreter shell
Thank you so much, nv1us! There’s something to be said about the enrichment of the lessons through the forum. A little tweak was all it took. Thanks again!
Oh wow, it worked smooth with sudo_baron_samedit, Thank you very much.
how do you know this exploit? i missed something? was it discussed before in any module?
cheers
I checked this thread out and selected most of the target options from “sudo_baron_samedit” however, I forgot to set my lhost so it wasn’t working until then doh!
they gave us a hint in the question with old version of sudo. type “search sudo” msfconsole you will see all exploits that contain that name from there you can read info on each one see what fits. i tried a few
the lesson provides a hint related to ‘sudo’, so you can go about it a couple of ways: sudo -v to get the version of the sudo binary, then google for vulns/exploits. Just based on that information, you can search metasploit modules on your attacker machine to identify the ‘sudo baron samedit’ exploit, so you don’t need to actually download anything additional to do this lab.
The second option is to load linpeas on the victim computer and let it run (it’s just a bash script). It’s a very verbose output that will include potential vulnerabilities–sudo baron samedit is one of them.
