## https://sploitus.com/exploit?id=67F0A17B-06EB-5D5F-A5CF-595DD7976671
# CVE-2022-37706 Exploit: Enlightenment v0.25.3 Privilege Escalation
## Description
This repository contains an exploit for **CVE-2022-37706**, a local privilege escalation vulnerability in **Enlightenment v0.25.3** and earlier. The vulnerability exists due to improper handling of pathnames starting with the `/dev/..` substring in the `enlightenment_sys` binary, which is SUID-root by default. By exploiting this behavior, attackers can execute arbitrary commands as root, resulting in full system control.
## Exploit Details
- **Vulnerable Binary**: `enlightenment_sys` (setuid-root)
- **CVE**: [CVE-2022-37706](https://nvd.nist.gov/vuln/detail/CVE-2022-37706)
- **Severity**: Critical
- **Tested On**: Ubuntu 22.10 (Kinetic Kudu)
### Exploit Workflow
1. The vulnerable binary is located, ensuring it is SUID and accessible.
2. Malicious directories and payloads are created to abuse the binary's improper pathname handling.
3. The exploit triggers the binary with crafted mount options, executing the payload as root.
4. Cleanup routines are included to remove evidence after exploitation.
## Usage
### Prerequisites
- Access to the vulnerable system as a low-privileged user.
- Vulnerable version of Enlightenment installed (`<0.25.3`).
### Exploit Execution
1. Clone or copy the exploit to the target system. Run from /tmp if using on the Boardlight HTB machine.
2. Save the exploit script as `exploit.sh` and make it executable:
```chmod +x exploit.sh```
4. Execute the script:
```./exploit.sh```
5. If successful, a root shell (#) will be opened.
Example Output
```CVE-2022-37706 Exploit Initiated```
```[*] Using known path to vulnerable binary```
```[+] Vulnerable SUID binary found at: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys```
```[*] Preparing exploit directories and files```
```[+] Exploit script created. Attempting to escalate privileges```
```[+] Welcome to the rabbit hole :)```
```root@target:~#```